# Comparing AL2 and AL2023
Comparing AL2 and AL2023Update AL2 and AL2023 comparison

 Update the releases of AL2 and AL2023 being compared. Improve how the difference in what packages are included in what images is displayed. 

The following topics describe key differences between AL2 and AL2023.

For more information on functionality deprecated in AL1, AL2, and AL2023, see [Deprecated Functionality in AL2023](deprecated.md).

**Topics**
+ [

## Added, upgraded, and removed packages
](#package-changes)
+ [

## Support for each release
](#al2-eol-date)
+ [

## Naming and versioning changes
](#naming-and-versioning-changes)
+ [

## Optimizations
](#optimize-performance)
+ [

## Sourced from multiple upstreams
](#building-on-fedora)
+ [

## Networking system service
](#networkd)
+ [

## Package manager
](#package-manager)
+ [

## Using cloud-init
](#using-cloud-init)
+ [

## Graphical desktop support
](#graphical-desktop-support)
+ [

## Compiler Triplet
](#compiler-triplet)
+ [

## 32bit x86 (i686) Packages
](#i686)
+ [

## `lsb_release` and the `system-lsb-core` package
](#lsb-release)
+ [

# Extra Packages for Enterprise Linux (EPEL)
](epel.md)
+ [

# Python 2.7 has been replaced with Python 3
](python2.7-no-more.md)
+ [

# Security updates
](security-updates.md)
+ [

# Deterministic upgrades for stability
](compare-deterministic-upgrades.md)
+ [

# `gp3` as default Amazon EBS volume type
](continuing-al2-filesystem.md)
+ [

# Unified Control Group hierarchy (cgroup v2)
](cgroupv2.md)
+ [

# `systemd` timers replace `cron`
](cron.md)
+ [

# Improved toolchain: gcc, binutils, and glibc
](glibc-gcc-and-binutils.md)
+ [

# `systemd` journal replaces `rsyslog`
](journald.md)
+ [

# Minimized package dependencies
](minimized-pkg-dependencies.md)
+ [

# Amazon Corretto as the default JVM
](compare-al2-java.md)
+ [

# AWS CLI v2
](awscli2.md)
+ [

# UEFI Preferred and Secure Boot
](uefi-preferred.md)
+ [

# SSH server default configuration changes
](ssh-host-key.md)
+ [

# AL2023 kernel changes from AL2
](compare-with-al2-kernel.md)
+ [

# `/tmp` is now `tmpfs`
](compare-al2-al2023-tmp.md)
+ [

# AMI and Container Image changes
](w2aac11c69.md)
+ [

# Comparing packages installed on Amazon Linux 2 and Amazon Linux 2023 AMIs
](amzn2-al2023-ami.md)
+ [

# Comparing packages installed on Amazon Linux 2 and Amazon Linux 2023 Minimal AMIs
](amzn2-al2023-minimal-ami.md)
+ [

# Comparing packages installed on Amazon Linux 2 and Amazon Linux 2023 base container images
](amzn2-al2023-container.md)

## Added, upgraded, and removed packages


AL2023 contains thousands of software packages available for use. For a full list of all packages added, upgraded, or removed in AL2023 when compared to prior Amazon Linux versions, see [Package changes in AL2023](https://docs.aws.amazon.com/linux/al2023/release-notes/compare-packages.html). 

 To request a package to be added or changed in AL2023, file an issue in the [amazon-linux-2023 repo](https://github.com/amazonlinux/amazon-linux-2023/issues) on GitHub. 

## Support for each release


For AL2023, we offer five years of support.

 For more information, see [Release cadence](release-cadence.md). 

## Naming and versioning changes


AL2023 supports the same mechanisms that AL2 supports for platform identification. AL2023 also introduces new files for platform identification.

For more information, see [Naming and versioning](naming-and-versioning.md).

## Optimizations


AL2023 optimizes boot time to reduce the time from instance launch to running the customer workload. These optimizations span the Amazon EC2 instance kernel configuration, `cloud-init` configurations, and features that are built into packages in the OS such as`kmod` and `systemd`. 

For more information about optimizations, see [Performance and operational optimizations](performance-optimizations.md).

## Sourced from multiple upstreams


AL2023 is RPM-based and includes components sourced from multiple versions of Fedora and other distributions, such as CentOS 9 Stream. The Amazon Linux kernel is sourced from the long-term support (LTS) releases directly from kernel.org, chosen independently from other distributions.

For more information, see [Relationship to Fedora](relationship-to-fedora.md).

## Networking system service


The `systemd-networkd` system service manages the network interfaces in AL2023. This is a change from AL2, which uses ISC dhclient or `dhclient`.

For more information, see [Networking service](networking-service.md). 

## Package manager


The default software package management tool on AL2023 is DNF. DNF is the successor to YUM, the package management tool in AL2.

For more information, see [Package management tool](package-management.md). 

## Using cloud-init


In AL2023, cloud-init manages the package repository. By default, in earlier versions of Amazon Linux, cloud-init installed security updates. This isn't the default for AL2023. The new deterministic upgrading features for updating `releasever` at launch describe the AL2023 way to enable package updates at launch. For more information, see [Manage package and operating system updates in AL2023](managing-repos-os-updates.md) and [Deterministic upgrades for stability](compare-deterministic-upgrades.md).

With AL2023, you can use cloud-init with SELinux. For more information, see [Use cloud-init to enable `enforcing` mode](enforcing-mode.md#cloud-init-enforcing). 

Cloud-init loads configuration content with cloud-init from remote locations using HTTP(S). In earlier versions, Amazon Linux doesn't alert you when remote resources are unavailable. In AL2023, unavailable remote resources creates a fatal error and fails the cloud-init execution. This change in behavior from AL2, provides a safer "fail closed" default behavior.

 For more information, see [Customized cloud-init](cloud-init.md) and the [cloud-init Documentation](https://cloudinit.readthedocs.io/en/22.2.2/).

## Graphical desktop support


AL2023 features a GNOME-based graphical desktop environment as of release 2023.7, replacing the MATE desktop used in AL2. This version provides users with a different desktop experience while maintaining AL2023's cloud-optimized performance. The GNOME desktop environment offers various customization options, system integration features, and a distinct user interface design, providing users with an alternative to the previous MATE desktop environment. See the [AL2023 Graphical Desktop](graphical-desktop-al2023.md) page for more details.

## Compiler Triplet


AL2023 sets the compiler triplet for GCC and `LLVM` to indicate that `amazon` is the vendor. 

Thus, the AL2 `aarch64-redhat-linux-gcc` becomes `aarch64-amazon-linux-gcc` on AL2023. 

This should be completely transparent for most users, and might only affect those who are building compilers on AL2023.

## 32bit x86 (i686) Packages


As part of the [2014.09 release of AL1](https://aws.amazon.com/amazon-linux-ami/2014.09-release-notes/) it was announced that it would be the last release to produce 32-bit AMIs. Thus, from the [2015.03 release of AL1](https://aws.amazon.com/amazon-linux-ami/2015.03-release-notes/), Amazon Linux no longer supported running the system in 32-bit mode. AL2 offered limited runtime support for 32bit binaries on x86-64 hosts, and did not provide development packages to enable the building of new 32-bit binaries. AL2023 no longer includes any 32bit userspace packages. We recommend that you complete your transition to 64-bit code.

If you need to run 32-bit binaries on AL2023, it is possible to use the 32-bit user-space from AL2 inside an AL2 container running on top of AL2023.

## `lsb_release` and the `system-lsb-core` package


 Historically, some software invoked the `lsb_release` command (provided in AL2 by the `system-lsb-core` package) to get information about the Linux distribution that it was being run on. The Linux Standards Base (LSB) introduced this command and Linux distributions adopted it. Linux distributions have evolved to use the simpler standard of holding this information in `/etc/os-release` and other related files. 

 The `os-release` standard comes out of `systemd`. For more information, see [systemd os-release documentation](https://www.freedesktop.org/software/systemd/man/os-release.html). 

 AL2023 doesn't ship with the `lsb_release` command, and doesn't include the `system-lsb-core` package. Software should complete the transition to the `os-release` standard to maintain compatibility with Amazon Linux and other major Linux distributions. 

# Extra Packages for Enterprise Linux (EPEL)
EPELEPEL7 packages and their availability in AL2023

 The Comparing AL2 to AL2023 section has been expanded to cover a number of packages previously available only in the third-party EPEL repository and their equivalents in AL2023. SPAL repository was added to AL2023

 The Comparing AL2 to AL2023 section has been modified to reflect the addition of SPAL to AL2023. SPAL is an additional repository that provides many EPEL9 packages, built for AL2023. Since SPAL packages are not fully supported like other core packages, this page will not be removed or replaced with the SPAL page. 

**Warning**  
 The AL2 `epel` Extra enabled the third party EPEL7 repository. As of 2024-06-30 the third-party EPEL7 repository is *no longer being maintained*.   
 This third-party repository will have *no future updates*. This means there will be *no security fixes* for packages in the *EPEL* repository.   
 This section will cover options in AL2023 for packages found in EPEL. 

 Extra Packages for Enterprise Linux (EPEL) is a project in the Fedora community with the objective of creating a large array of packages for enterprise-level Linux operating systems. The project has primarily produced RHEL and CentOS packages. AL2 features a high level of compatibility with CentOS 7. As a result, many EPEL7 packages work on AL2. 

 There are no EPEL versions that are binary compatible with AL2023. However, customers that want to use their EPEL7 packages in AL2023 have a few options. Some EPEL packages have alternatives in AL2023, while others are provided as part of [Supplementary Packages for Amazon Linux](spal.md). 

**Warning**  
 Only add repositories designed to be used with AL2023.   
 While repositories designed for other distributions may work today, there is no guarantee they will continue to do so with any package update in AL2023 or the repository not designed for use with AL2023. 

 This page provides information about the EPEL7 packages used by customers on AL2 and their AL2023 counterparts. 

 For the rest of the packages, customers might be able to use Supplementary Packages for Amazon Linux (SPAL). SPAL provides thousands of EPEL9 packages, built specifically for Amazon Linux 2023, but these packages are not covered by AWS Support Plans. This means CVEs are not being tracked for SPAL packages, and patches are only provided when available upstream. 

**Important**  
 Consult documentation of [Supplementary Packages for Amazon Linux](spal.md) before using it. 

**Topics**
+ [

## `axel` - HTTP/FTP client
](#axel)
+ [

## `brotli` and `libbrotli` - compression
](#brotli)
+ [

## `collectd` - Statistics collection daemon
](#collectd)
+ [

## `cpulimit` - CPU Usage limiter
](#cpulimit)
+ [

## `exim` - mail transfer agent
](#exim)
+ [

## `fuse3` - File System in Userspace (FUSE) v3
](#fuse3)
+ [

## `ganglia` - Distributed Monitoring System
](#ganglia)
+ [

## `git-lfs` - version control large files with Git
](#git-lfs)
+ [

## `haveged` - an entropy source using the HAVEGE algorithm
](#haveged)
+ [

## `inotify-tools` - inotify command line tools
](#inotify-tools)
+ [

## `iperf` - TCP/UDP Performance benchmark
](#iperf)
+ [

## `jemalloc` - alternative `malloc` implementation
](#jemalloc)
+ [

## `libbsd` - BSD-compatible function library
](#libbsd)
+ [

## `libserf` - HTTP Client Library
](#libserf)
+ [

## `libzstd` - zstd compression library
](#libzstd)
+ [

## `lighttpd` web server
](#lighttpd)
+ [

## `lshell` - a restricted shell
](#lshell)
+ [

## `monit` - process, file, directory, and devices monitor
](#monit)
+ [

## `nodejs`
](#nodejs)
+ [

## `perl-Config-General`
](#perl-Config-General)
+ [

## `python2-lockfile` - file locking
](#python2-lockfile)
+ [

## `python2-rsa` - pure Python RSA
](#python2-rsa)
+ [

## `python2-simplejson` - JSON routines for Python 2
](#python2-simplejson)
+ [

## `rkhunter` - Rootkit Hunter
](#rkhunter)
+ [

## `rssh` - a restricted shell for use with OpenSSH
](#rssh)
+ [

## `sscg` - self-signed SSL certificate generator
](#sscg)
+ [

## `stress` - Stress test
](#stress)
+ [

## `stress-ng` - Stress test
](#stress-ng)
+ [

## `tmpwatch` - removes files based on last accessed time
](#tmpwatch)
+ [

## `xmlstarlet` - command line XML utilities
](#xmlstarlet)

## `axel` - HTTP/FTP client


 The `axel` package was in EPEL7, and has not ever shipped as part of Amazon Linux. Alternatives available in AL2023 are `curl` and `wget`. 

**Warning**  
 The `-S` option to `axel` uses an *unencrypted* http connection to discover mirrors for a file. 

 It is highly recommended to migrate any use of `axel` over to either `curl` or `wget`. 

## `brotli` and `libbrotli` - compression


 The `brotli` and `libbrotli` packages were in EPEL7, while just the `brotli` package was available in AL2 core. 

 Both the `brotli` and `libbrotli` packages are included in AL2023. 

 The `brotli` package can be installed on AL2023 with the following command: 

```
[ec2-user ~]$ sudo dnf install brotli
```

 The `libbrotli` package can be installed on AL2023 with the following command: 

```
[ec2-user ~]$ sudo dnf install libbrotli
```

## `collectd` - Statistics collection daemon


 The `collect` package was in EPEL7, and was also available in the `collectd` and `collectd-python3` AL2 Extras. 

 The `collectd` package is included in AL2023 and can be installed by running the following command: 

```
[ec2-user ~]$ sudo dnf install collectd
```

## `cpulimit` - CPU Usage limiter
`cpulimit`

 In Amazon Linux 2023, `systemd` provides functionality to limit the CPU usage of processes, or groups of processes. This functionality is also easy to use for any `systemd` service. 

 There are powerful resource control facilities provided by `systemd` which can be used to ensure any task or group of tasks is limited in what resources it can consume. For more information, see the upstream [systemd.resource-control](https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html) documentation, along with the [Limiting process resource usage in AL2023 using systemd](resource-limiting-systemd.md). 

## `exim` - mail transfer agent


 The `exim` package was in EPEL7, and previously available in AL1. Amazon Linux 2023 provides both the `postfix` and `sendmail` Mail Transfer Agents (MTAs). 

## `fuse3` - File System in Userspace (FUSE) v3


 The `fuse3` package (including `fuse3-libs` and `fuse3-devel`) were in EPEL7. These packages are part of AL2023, and each can be installed by running the relevant following command: 

```
[ec2-user ~]$ sudo dnf install fuse3
```

```
[ec2-user ~]$ sudo dnf install fuse3-libs
```

```
[ec2-user ~]$ sudo dnf install fuse3-devel
```

## `ganglia` - Distributed Monitoring System


 The `ganglia` package was in EPEL7, and previously available in AL1. It was not shipped with AL2. 

 The upstream project had a period of inactivity where some open CVEs were not being addressed. While there has been recent activity in the upstream project, it is not planned to add `ganglia` to AL2023. 

## `git-lfs` - version control large files with Git


 The `git-lfs` package was in EPEL7. In Amazon Linux 2023, the `git-lfs` package is included in the core repository. On AL2023, `git-lfs` can be installed by running the following command: 

```
[ec2-user ~]$ sudo dnf install git-lfs
```

## `haveged` - an entropy source using the HAVEGE algorithm


 The `haveged` package was in EPEL7. Amazon Linux 2023 comes pre-configured with entropy sources, not requiring the use of `haveged`. 

## `inotify-tools` - inotify command line tools


 The `inotify-tools` package was in EPEL7, and is included in AL2023. 

**Note**  
 In AL2023, `systemd` supports path based activation which can be used for taking action on events such as when a path exists or changes.   
 Much of what `inotify-tools` is used for can now be better accomplished in a more reliable manner using `systemd` path activation. For more information, see [systemd.path](https://www.freedesktop.org/software/systemd/man/latest/systemd.path.html). 

 The `inotify-tools` package is included in AL2023 and can be installed by running the following command: 

```
[ec2-user ~]$ sudo dnf install inotify-tools
```

## `iperf` - TCP/UDP Performance benchmark


 The `iperf` version 2 package was in EPEL7, and was also available in the `testing` AL2 Extra. and was also available in AL1 

**Note**  
 The `iperf3` package is also available, providing version 3 of `iperf`. 

 The `iperf` package is included in AL2023 and can be installed by running the following command: 

```
[ec2-user ~]$ sudo dnf install iperf
```

## `jemalloc` - alternative `malloc` implementation


 The `jemalloc` package was in EPEL7, and was available in the `lamp-mariadb10.2-php7.2` and `mariadb10.5` AL2 Extras. 

 The `jemalloc` package is included in AL2023 and can be installed by running the following command: 

```
[ec2-user ~]$ sudo dnf install jemalloc
```

## `libbsd` - BSD-compatible function library


 The `libbsd` package was in EPEL7, and was also available in the `testing` AL2 Extra. 

 The `libbsd` package is included in AL2023 and can be installed by running the following command: 

```
[ec2-user ~]$ sudo dnf install libbsd
```

 The development files for `libbsd` can be installed by running the following command. 

```
[ec2-user ~]$ sudo dnf install libbsd-devel
```

## `libserf` - HTTP Client Library


 The `libserf` package was in EPEL7. The `libserf` package is provided in Amazon Linux 2023. It can be installed by running the following command: 

```
[ec2-user ~]$ sudo dnf install libserf
```

## `libzstd` - zstd compression library


 The `libzstd` package was in AL2 core, as well as in EPEL7. The `libzstd` package is also part of AL2023. 

```
[ec2-user ~]$ sudo dnf install libzstd
```

## `lighttpd` web server


 The `lighttpd` package was in EPEL7, and previously available in AL1. Amazon Linux 2023 provides both the Apache `httpd` and `nginx` web servers. 

## `lshell` - a restricted shell


 The `lshell` package has never been shipped as part of Amazon Linux. It was available in EPEL6. The [Fedora packaging repository for `lshell`](https://src.fedoraproject.org/rpms/lshell) covers [why it was not packaged](https://src.fedoraproject.org/rpms/lshell/c/cb122f0a16c9f1d5c2af8582b740a3f62587a951?branch=rawhide) in EPEL7 or Fedora 30. It was also [removed from Debian](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862302). 

 The upstream `lshell` project is [no longer being actively maintained](https://github.com/ghantoos/lshell/issues/209), and contains [known unpatched](https://github.com/ghantoos/lshell/issues/188) *Critical CVEs*: [CVE-2016-6902](https://nvd.nist.gov/vuln/detail/CVE-2016-6902) and [CVE-2016-6903](https://nvd.nist.gov/vuln/detail/CVE-2016-6903). 

 The alternative suggested in the Debian bug, [http://www.pizzashack.org/rssh/](http://www.pizzashack.org/rssh/) is also unmaintained upstream, with the author citing unfixable security issues as the reason. 

 For these reasons, adding `lshell` to AL2023 is not planned. 

## `monit` - process, file, directory, and devices monitor


 In Amazon Linux 2023, `systemd` provides a wide array of functionality for monitoring, starting, stopping, and restarting services. This includes rate limiting restarts, waiting between restart attempts, and starting another service on failure. For more information, see the [systemd.service](https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html) documentation. 

 In AL2023, `systemd` also supports path based activation which can be used for taking action on events such as when a path exists or changes. For more information, see [systemd.path](https://www.freedesktop.org/software/systemd/man/latest/systemd.path.html). 

 There are common configuration options for `systemd` units which allow specifying dependencies, conditionals, and actions to take on success or failure. For more information, see the [systemd.unit](https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html) documentation. 

 There are powerful resource control facilities provided by `systemd` which can be used to ensure any monitoring task does not use excessive CPU or memory. For more information, see [systemd.resource-control](https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html). 

## `nodejs`


 The `nodejs` version 16 package was in EPEL7, and `nodejs` is now included in AL2023. At the time of writing, both `nodejs` version 18 and 20 were available in AL2023. You can install `nodejs` 18 on AL2023 with the following command: 

```
[ec2-user ~]$ sudo dnf install nodejs
```

 You can install `nodejs` 20 on AL2023 with the following command: 

```
[ec2-user ~]$ sudo dnf install nodejs20
```

## `perl-Config-General`


 The `perl-Config-General` package was in EPEL7, and is now included in AL2023. You can install the `perl-Config-General` package in AL2023 with the following command: 

```
[ec2-user ~]$ sudo dnf install perl-Config-General
```

 Perl modules can also be installed by asking DNF to install the package that provides a particular Perl module. With this method, you can use the more familiar Perl module name rather than the OS package name. 

```
[ec2-user ~]$ sudo dnf install 'perl(Confg::General)'
```

## `python2-lockfile` - file locking


 The `python2-lockfile` package was in EPEL7, and AL2 included a `python-lockfile` package. In AL2023 [Python 2.7 has been replaced with Python 3](python2.7-no-more.md), so a *Python 2* variant of this package will not be added to AL2023. 

 The *Python 3* version of this package *is included in AL2023*. You can install the `python3-lockfile` package in AL2023 with one of the following commands: 

```
[ec2-user ~]$ sudo dnf install python3-lockfile
```

 Python modules can also be installed by asking DNF to install the package that provides a particular Python module. 

```
[ec2-user ~]$ sudo dnf install 'python3dist(lockfile)'
```

## `python2-rsa` - pure Python RSA


 The `python2-rsa` package was in EPEL7, and AL2 included a `python2-rsa` package. In AL2023 [Python 2.7 has been replaced with Python 3](python2.7-no-more.md), so a *Python 2* variant of this package will not be added to AL2023. 

 The *Python 3* version of this package *is included in AL2023*. You can install the `python3-rsa` package in AL2023 with one of the following commands: 

```
[ec2-user ~]$ sudo dnf install python3-rsa
```

 Python modules can also be installed by asking DNF to install the package that provides a particular Python module. 

```
[ec2-user ~]$ sudo dnf install 'python3dist(rsa)'
```

## `python2-simplejson` - JSON routines for Python 2


 The `python2-simplejson` package was in EPEL7. In AL2023 [Python 2.7 has been replaced with Python 3](python2.7-no-more.md), so a *Python 2* variant of this package will not be added to AL2023. 

 The *Python 3* version of this package *is included in AL2023*. You can install the `python3-simplejson` package in AL2023 with the following command: 

```
[ec2-user ~]$ sudo dnf install python3-simplejson
```

 Python modules can also be installed by asking DNF to install the package that provides a particular Python module. 

```
[ec2-user ~]$ sudo dnf install 'python3dist(simplejson)'
```

## `rkhunter` - Rootkit Hunter


 The `rkhunter` package is included in AL2023 along with `chkrootkit`. 

```
[ec2-user ~]$ sudo dnf install rkhunter
```

```
[ec2-user ~]$ sudo dnf install chkrootkit
```

## `rssh` - a restricted shell for use with OpenSSH


 The `rssh` package was in EPEL7. The upstream [http://www.pizzashack.org/rssh/](http://www.pizzashack.org/rssh/) package is unmaintained, with the author citing unfixable security issues as the reason. 

 With the author citing unfixable security issues, adding `rssh` to AL2023 is not planned. 

## `sscg` - self-signed SSL certificate generator


 The `sscg` package was in AL2 core, as well as in EPEL7. The `sscg` package is also part of AL2023. 

```
[ec2-user ~]$ sudo dnf install sscg
```

## `stress` - Stress test


 The `stress` package was in EPEL7, and was also available in AL1 

 The `stress` package is included in AL2023 and can be installed by running the following command: 

```
[ec2-user ~]$ sudo dnf install stress
```

## `stress-ng` - Stress test


 The `stress-ng` package was in EPEL7, and was also available in the `testing` AL2 Extra. 

 The `stress-ng` package is included in AL2023 and can be installed by running the following command: 

```
[ec2-user ~]$ sudo dnf install stress-ng
```

## `tmpwatch` - removes files based on last accessed time


 In Amazon Linux 2023, this functionality is provided by [https://www.freedesktop.org/software/systemd/man/latest/systemd-tmpfiles.html](https://www.freedesktop.org/software/systemd/man/latest/systemd-tmpfiles.html). 

## `xmlstarlet` - command line XML utilities


 The `xmlstarlet` package was in EPEL7, and is not available in AL2023. 

 The upstream package has not been touched in over 9 years (last touched in August 2014). For an additional four years prior (since at least July 2010), a request for a new maintainer has gone unanswered. It is for this reason that it is not planned to add `xmlstarlet` to AL2023. 

# Python 2.7 has been replaced with Python 3


 AL2 provides support and security patches for Python 2.7 until June 2025, as part of our long-term support (LTS) commitment for AL2 core packages. This support extends beyond the upstream Python community declaration of Python 2.7 end-of-life of January 2020. 

 AL2 uses the `yum` package manager, which has a hard dependency on Python 2.7. In AL2023 the `dnf` package manager has migrated to Python 3, and no longer requires Python 2.7. AL2023 has completely moved to Python 3. 

**Note**  
 AL2023 removed Python 2.7, so any OS components requiring Python are written to work with Python 3. To continue to use a version of Python provided by and supported by Amazon Linux, convert Python 2 code to Python 3. 

For more information on Python on Amazon Linux, see [Python in AL2023](python.md).

# Security updates


 Amazon Linux 2023 improves upon the hardening present in AL2. For more information, see [Security and Compliance in Amazon Linux 2023](security.md). For more information on kernel hardening changes from AL2, see [Security focused kernel config changes](compare-with-al2-kernel.md#security-kernel-config-changes). 

**Topics**
+ [

# SELinux
](selinux.md)
+ [

# OpenSSL 3
](openssl3.md)
+ [

# IMDSv2
](imdsv2.md)
+ [

# Removal of log4j hotpatch (`log4j-cve-2021-44228-hotpatch`)
](log4j-hotpatch.md)

# SELinux


By default, Security Enhanced Linux (SELinux) for AL2023 is `enabled` and set to `permissive` mode. In `permissive` mode, permission denials are logged but not enforced. 

SELinux is a security feature of the Amazon Linux kernel, which was `disabled` in AL2. SELinux is a collection of kernel features and utilities that provides mandatory access control (MAC) architecture into the major subsystems of the kernel. 

For more information, see [Setting SELinux modes for AL2023](selinux-modes.md). 

For more information about SELinux repositories, tools, and policies, see [SELinux Notebook](https://github.com/SELinuxProject/selinux-notebook/blob/main/src/toc.md), [Types of SELinux policy](https://github.com/SELinuxProject/selinux-notebook/blob/main/src/types_of_policy.md#types-of-selinux-policy), and [SELinux Project ](https://github.com/SELinuxProject.html). 

# OpenSSL 3


AL2023 features the Open Secure Sockets Layer version 3 (OpenSSL 3) cryptography toolkit. AL2023 supports TLS 1.3 and TLS 1.2 network protocols.

By default, AL2 comes with OpenSSL 1.0.2. You can build applications against OpenSSL 1.1.1.

For more information about OpenSSL, see the [OpenSSL migration guide](https://www.openssl.org/docs/man3.0/man7/migration_guide.html). 

For more information about security, see [Security updates and features](security-features.md).

# IMDSv2


By default, any instances launched with the AL2023 AMI require IMDSv2-only and your default hop limit will be set to 2 to allow for containerized workload support. This is done by setting the `imds-support` parameter to `v2.0`. For more information, see [Configure the AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html#configure-IMDS-new-instances-ami-configuration) in the *Amazon EC2 User Guide*.

**Note**  
The session token's time of validity can be anywhere between 1 second and 6 hours. The addresses to direct the API requests for IMDSv2 queries are the following:  
IPv4: 169.254.169.254
IPv6: fd00:ec2::254

You can manually override these settings and enable IMDSv1 using Instance Metadata option launch properties. You can also use IAM controls to enforce different IMDS settings. For more information about setting up and using the Instance Metadata Service, see [Use IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service), [Configure instance metadata options for new instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances), and [Modify instance metadata options for existing instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-existing-instances), in the *Amazon EC2 User Guide*.

# Removal of log4j hotpatch (`log4j-cve-2021-44228-hotpatch`)


**Note**  
AL2023 doesn't ship with the `log4j-cve-2021-44228-hotpatch` package.

 In response to [CVE-2021-44228](https://alas.aws.amazon.com/cve/html/CVE-2021-44228.html), Amazon Linux released an RPM packaged version of the [Hotpatch for Apache Log4j](https://aws.amazon.com/blogs/opensource/hotpatch-for-apache-log4j/) for AL1 and AL2. In the [announcement of the addition of the hotpatch to Amazon Linux](https://alas.aws.amazon.com/announcements/2021-001.html) we noted that "Installing the hotpatch is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046.". 

 The hotpatch was a mitigation to allow time to patch `log4j`. The first General Availability (GA) release of AL2023 was 15 months after [CVE-2021-44228](https://alas.aws.amazon.com/cve/html/CVE-2021-44228.html), thus AL2023 doesn't ship with the hotpatch (enabled or not). 

 Users running their own `log4j` versions on Amazon Linux should ensure that they have updated to versions not affected by [CVE-2021-44228](https://alas.aws.amazon.com/cve/html/CVE-2021-44228.html) or [CVE-2021-45046](https://alas.aws.amazon.com/cve/html/CVE-2021-45046.html). 

 AL2023 provides guidance on [Updating AL2023](updating.md) so that you can keep up to date with security patches. Security advisories are published on the [Amazon Linux Security Center](https://alas.aws.amazon.com/alas2023.html). 

# Deterministic upgrades for stability


With the deterministic upgrades through versioned repositories feature, every AL2023 AMI by default is locked to a specific repository version. You can use deterministic upgrades to achieve greater consistency among package versions and updates. Each release, major or minor, includes a specific repository version.

New with AL2023, deterministic upgrading by default is enabled. This is an improvement over the manual, incremental method of locking that's used in AL2 and other earlier versions.

For more information, see [Deterministic upgrades through versioned repositories on AL2023](deterministic-upgrades.md).

# `gp3` as default Amazon EBS volume type


The AL2023 AMI and AL2 both use the XFS file system on the root file system. For AL2023, the `mkfs`options for the root device file system are further optimized for Amazon EC2. AL2023 also supports a number of other file systems that you can use on other volumes to meet your specific requirements.

AL2023 AMIs use Amazon EBS `gp3` volumes by default, whereas AL2 AMIs use Amazon EBS `gp2` volumes by default. You can change the volume type when you launch an instance.

For more information about Amazon EBS volume types, see [Amazon EBS General Purpose Volumes](https://aws.amazon.com//ebs/general-purpose/).

For more information about launching an Amazon EC2 instance, see [Launch an instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html#ec2-launch-instance) in the *Amazon EC2 User Guide*.

# Unified Control Group hierarchy (cgroup v2)


 A Control Group (cgroup) is a Linux kernel feature to hierarchically organize processes and distribute system resources between them. Control Groups are used extensively to implement a container runtime, and by `systemd`. 

 AL2 supports cgroupv1, and AL2023 supports cgroupv2. This is notable if running containerized workloads, such as when [Using AL2023 based Amazon ECS AMIs to host containerized workloads](ecs.md). 

 Although AL2023 still includes code that can make the system run using cgroupv1, this is not a recommended or supported configuration, and will be completely removed in a future major release of Amazon Linux. 

 There is extensive documentation regarding the [low-level Linux Kernel interfaces](https://docs.kernel.org/admin-guide/cgroup-v2.html), as well as [systemd cgroup delegation documentation](https://systemd.io/CGROUP_DELEGATION/). 

 A common use case outside of containers is for creating `systemd` units that have limits placed on the system resources they can use. For more information, see [systemd.resource-control](https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html). 

# `systemd` timers replace `cron`


The `cronie` package was installed by default on the AL2 AMI, providing support for the traditional `crontab` way of scheduling periodic tasks. In AL2023, `cronie` is not included by default. Therefore, support for `crontab` is no longer provided by default. 

You can optionally install the `cronie` package to use classic `cron` jobs. We recommend that you migrate to `systemd` timers due to the added functionality provided by `systemd`.

# Improved toolchain: gcc, binutils, and glibc


AL2023 includes many of the same core packages as AL2.

We updated the following three core toolchain packages for AL2023.


| Package name | AL2 | AL2023 | 
| --- | --- | --- | 
| glibc |  2.26  | 2.34 | 
|  gcc  |  7.3  |  11.3  | 
|  binutils  |  2.29  |  2.39  | 

For more information, see [Core toolchain packages glibc, gcc, binutils](core-glibc.md). 

For more information about C, C\$1\$1, and Fortran language runtimes, including updated default language standards, see [C, C\$1\$1, and Fortran in AL2023](c-cplusplus.md).

For more information about optimizations, see [Performance and operational optimizations](performance-optimizations.md).

# `systemd` journal replaces `rsyslog`


In AL2023 the logging system package has changed from AL2. AL2023 doesn't install `rsyslog` by default, so the text based log files such as `/var/log/messages` that were available in AL2 aren't available by default. The default configuration for AL2023 is `systemd-journal`, which can be examined using `journalctl`. Although `rsyslog` is an optional package in AL2023, we recommend the new `systemd` based `journalctl` interface and related packages. For more information, see the [https://www.freedesktop.org/software/systemd/man/journalctl.html](https://www.freedesktop.org/software/systemd/man/journalctl.html) manual page.

 The systmed journal equivalent to some commonly used syslog commands are covered in the following table. 


| AL2 syslog command | AL2023 systemd journal equivalent | 
| --- | --- | 
| <pre>[ec2-user ~]$ cat /var/log/messages</pre> | <pre>[ec2-user ~]$ journalctl</pre> | 
| <pre>[ec2-user ~]$ tail -f /var/log/messages</pre> | <pre>[ec2-user ~]$ journalctl -f</pre> | 
| <pre>[ec2-user ~]$ grep foo /var/log/messages</pre> | <pre>[ec2-user ~]$ journalctl | grep foo</pre> | 

# Minimized package dependencies


 Amazon Linux 2023 minimizes the dependency graph of many packages to provide a smaller footprint for applications. Notable changes from AL2 include the `curl-minimal` and `gnupg-minimal` packages, which siginicantly reduce the number of required packages while retaining commonly used functionality. 

**Topics**
+ [

# Package changes for `curl` and `libcurl`
](curl-minimal.md)
+ [

# GNU Privacy Guard (GNUPG)
](gnupg-minimal.md)

# Package changes for `curl` and `libcurl`


 AL2023 separates out the common protocols and functionality of the `curl` and `libcurl` packages into `curl-minimal` and `libcurl-minimal`. This reduces the disk, memory, and dependency footprint for most users, and is the default package for AL2023 AMIs and containers.

If the full functionality of `curl` is required, for example for `gopher://` support, run the following commands to install the `curl-full` and `libcurl-full` packages.

```
$ dnf swap libcurl-minimal libcurl-full
```

```
$ dnf swap curl-minimal curl-full
```

# GNU Privacy Guard (GNUPG)


 AL2023 separates out minimal and complete functionality for the `gnupg2` package into `gnupg2-minimal` and `gnupg2-full` packages. By default, only the `gnupg2-minimal` package is installed. This provides the minimal functionality required to verify the digital signatures on `rpm` packages. 

 For more functionality from `gnupg2`, such as the ability to download keys from a key server, ensure that the `gnupg2-full` package is installed. Run the following command to swap `gnupg2-minimal` for `gnupg2-full`.

```
$ dnf swap gnupg2-minimal gnupg2-full
```

# Amazon Corretto as the default JVM


AL2023 ships with [Amazon Corretto](https://aws.amazon.com/corretto/) as the default (and only) Java Development Kit (JDK). All Java based packages in AL2023 are all built with Amazon Corretto 17. 

 If you are migrating from AL2, you can smoothly transition from the equivalent `OpenJDK` version on AL2 to Amazon Corretto. 

# AWS CLI v2


 AL2023 ships with AWS CLI version 2, whereas AL2 ships with version 1 of the AWS CLI. 

# UEFI Preferred and Secure Boot


By default, any instances launched with the AL2023 AMI on instance types that support UEFI firmware will launch in UEFI mode. This is done by setting the Boot Mode AMI parameter to `uefi-preferred`. For more information, see [ Boot Modes](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-boot.html) in the *Amazon EC2 User Guide*. 

 On Amazon EC2 instance types that support UEFI Secure Boot, it is possible to enable Secure Boot in Amazon Linux 2023. For more information, see [UEFI Secure Boot on AL2023](uefi-secure-boot.md). 

# SSH server default configuration changes


For the AL2023 AMI, we changed the types of `sshd` host keys that we generate with the release. We also dropped some legacy key types to avoid generating them at launch time. Clients must support the `rsa-sha2-256` and `rsa-sha2-512` protocols or `ssh-ed25519` with use of an `ed25519` key. By default, `ssh-rsa` signatures are disabled.

Additionally, AL2023 configuration settings in the default `sshd_config` file contain `UseDNS=no`. This new setting means that DNS impairments are less likely to block your ability to establish `ssh` sessions with your instances. The tradeoff is that the `from=hostname.domain,hostname.domain` line entries in your `authorized_keys` files won't be resolved. Because `sshd` no longer attempts to resolve the DNS names, each comma separated `hostname.domain` value must be translated to a corresponding IP address.

For more information, see [Default SSH server configuration](ssh-host-keys-disabled.md).

# AL2023 kernel changes from AL2
Kernel changes in AL2023 from AL2

AL2023 brings the 6.1 kernel, as well as many configuration changes to further optimize Amazon Linux for the cloud. For most users, these changes should be completely transparent.

## IPv4 TTL


The TTL for IPv4 is configured via `sysctl`, with the default values being present in `/etc/sysctl.d/00-defaults.conf`. This value can be customized through the usual `sysctl` methods. For more information, see the `sysctl` `man` page. 

 AL2 set the `net.ipv4.ip_default_ttl` value to to 255, while AL2023 sets it to 127. This brings Amazon Linux defaults in line with other major Linux distributions. It is not recommended to change this default without a demonstrated need to. 

## Security focused kernel config changes



| `CONFIG` option | AL2/4.14/aarch64 | AL2/4.14/x86\$164 | AL2/5.10/aarch64 | AL2/5.10/x86\$164 | AL2023/6.1/aarch64 | AL2023/6.1/x86\$164 | AL2023/6.12/aarch64 | AL2023/6.12/x86\$164 | AL2023/6.18/aarch64 | AL2023/6.18/x86\$164 | 
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | 
|  [`CONFIG_BUG_ON_DATA_CORRUPTION`](kernel-hardening.md#CONFIG_BUG_ON_DATA_CORRUPTION)  |  n  |  y  |  n  |  y  |  y  |  y  |  y  |  y  |  y  |  y  | 
|  [`CONFIG_DEFAULT_MMAP_MIN_ADDR`](kernel-hardening.md#CONFIG_DEFAULT_MMAP_MIN_ADDR)  |  4096  |  4096  |  4096  |  4096  |  65536  |  65536  |  65536  |  65536  |  65536  |  65536  | 
|  [`CONFIG_DEVMEM`](#CONFIG_DEVMEM)  |  n  |  y  |  n  |  y  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_DEVPORT`](#CONFIG_DEVPORT)  |  n  |  y  |  n  |  y  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_FORTIFY_SOURCE`](#CONFIG_FORTIFY_SOURCE)  |  n  |  y  |  n  |  y  |  y  |  y  |  y  |  y  |  y  |  y  | 
|  [`CONFIG_HARDENED_USERCOPY_FALLBACK`](kernel-hardening.md#CONFIG_HARDENED_USERCOPY_FALLBACK)  | N/A | N/A |  y  |  y  | N/A | N/A | N/A | N/A | N/A | N/A | 
|  [`CONFIG_INIT_ON_ALLOC_DEFAULT_ON`](kernel-hardening.md#CONFIG_INIT_ON_ALLOC_DEFAULT_ON)  | N/A | N/A |  n  |  n  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_INIT_ON_FREE_DEFAULT_ON`](kernel-hardening.md#CONFIG_INIT_ON_FREE_DEFAULT_ON)  | N/A | N/A |  n  |  n  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_IOMMU_DEFAULT_DMA_STRICT`](kernel-hardening.md#CONFIG_IOMMU_DEFAULT_DMA_STRICT)  | N/A | N/A | N/A | N/A |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_LDISC_AUTOLOAD`](#CONFIG_LDISC_AUTOLOAD)  |  y  |  y  |  y  |  y  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_SCHED_CORE`](kernel-hardening.md#CONFIG_SCHED_CORE)  | N/A | N/A | N/A | N/A | N/A |  y  | N/A |  y  | N/A |  y  | 
|  [`CONFIG_SCHED_STACK_END_CHECK`](kernel-hardening.md#CONFIG_SCHED_STACK_END_CHECK)  |  n  |  y  |  n  |  y  |  y  |  y  |  y  |  y  |  y  |  y  | 
|  [`CONFIG_SECURITY_DMESG_RESTRICT`](#CONFIG_SECURITY_DMESG_RESTRICT)  |  n  |  n  |  n  |  n  |  y  |  y  |  y  |  y  |  y  |  y  | 
|  [`CONFIG_SECURITY_SELINUX_DISABLE`](#CONFIG_SECURITY_SELINUX_DISABLE)  |  y  |  y  |  y  |  y  |  n  |  n  | N/A | N/A | N/A | N/A | 
|  [`CONFIG_SHUFFLE_PAGE_ALLOCATOR`](kernel-hardening.md#CONFIG_SHUFFLE_PAGE_ALLOCATOR)  | N/A | N/A |  y  |  y  |  y  |  y  |  y  |  y  |  y  |  y  | 
|  [`CONFIG_SLAB_FREELIST_HARDENED`](kernel-hardening.md#CONFIG_SLAB_FREELIST_HARDENED)  |  n  |  y  |  y  |  y  |  y  |  y  |  y  |  y  |  y  |  y  | 
|  [`CONFIG_SLAB_FREELIST_RANDOM`](kernel-hardening.md#CONFIG_SLAB_FREELIST_RANDOM)  |  n  |  n  |  y  |  y  |  y  |  y  |  y  |  y  |  y  |  y  | 

### x86-64 Specific Security focused kernel config changes



| `CONFIG` option | AL2/4.14/x86\$164 | AL2/5.10/x86\$164 | AL2023/6.1/x86\$164 | AL2023/6.12/x86\$164 | AL2023/6.18/x86\$164 | 
| --- | --- | --- | --- | --- | --- | 
|  [`CONFIG_AMD_IOMMU`](kernel-hardening.md#CONFIG_AMD_IOMMU)  |  y  |  y  |  y  |  y  |  y  | 
|  [`CONFIG_AMD_IOMMU_V2`](kernel-hardening.md#CONFIG_AMD_IOMMU_V2)  |  m  |  m  |  y  | N/A | N/A | 
|  [`CONFIG_RANDOMIZE_MEMORY`](kernel-hardening.md#CONFIG_RANDOMIZE_MEMORY)  | N/A |  y  |  y  |  y  |  y  | 

### aarch64 (ARM/Graviton) Specific Security focused kernel config changes



| `CONFIG` option | AL2/4.14/aarch64 | AL2/5.10/aarch64 | AL2023/6.1/aarch64 | AL2023/6.12/aarch64 | AL2023/6.18/aarch64 | 
| --- | --- | --- | --- | --- | --- | 
|  [`CONFIG_ARM64_PTR_AUTH`](kernel-hardening.md#CONFIG_ARM64_PTR_AUTH)  | N/A |  y  |  y  |  y  |  y  | 
|  [`CONFIG_ARM64_PTR_AUTH_KERNEL`](kernel-hardening.md#CONFIG_ARM64_PTR_AUTH_KERNEL)  | N/A | N/A |  y  |  y  |  y  | 
|  [`CONFIG_ARM64_SW_TTBR0_PAN`](kernel-hardening.md#CONFIG_ARM64_SW_TTBR0_PAN)  |  y  |  y  |  y  |  y  |  y  | 

### `/dev/mem`, `/dev/kmem` and `/dev/port`


 Amazon Linux 2023 disables `/dev/mem`, and `/dev/port` (`CONFIG_DEVMEM` and `CONFIG_DEVPORT`) completely, building on the restrictions already in place in AL2. 

 The `/dev/kmem` code was completely removed from Linux in the 5.13 kernel, and while it was disabled in AL2, it is now not applicable to AL2023. 

This option is one of the [Kernel Self Protection Project Recommended Settings](https://kspp.github.io/Recommended_Settings).

### `FORTIFY_SOURCE`


 AL2023 enables `CONFIG_FORTIFY_SOURCE` on all supported architectures. This feature is a security hardening feature. Where the compiler can determine and validate the buffer sizes, this feature can detect buffer overflows in common string and memory functions. 

This option is one of the [Kernel Self Protection Project Recommended Settings](https://kspp.github.io/Recommended_Settings).

### Line Discipline autoload (`CONFIG_LDISC_AUTOLOAD`)


 The AL2023 kernel will not automatically load line disciplines, such as by software using the `TIOCSETD` `ioctl`, unless the request comes from a process with the `CAP_SYS_MODULE` permissions. 

This option is one of the [Kernel Self Protection Project Recommended Settings](https://kspp.github.io/Recommended_Settings).

### `dmesg` access for unprivileged users (`CONFIG_SECURITY_DMESG_RESTRICT`)


 By default, AL2023 does not allow unprivileged users access to `dmesg`. 

This option is one of the [Kernel Self Protection Project Recommended Settings](https://kspp.github.io/Recommended_Settings).

### SELinux `selinuxfs` disable


 AL2023 disables the deprecated `CONFIG_SECURITY_SELINUX_DISABLE` kernel option, which enabled a runtime method of disabling SELinux prior to policy being loaded. 

This option is one of the [Kernel Self Protection Project Recommended Settings](https://kspp.github.io/Recommended_Settings).

## Other kernel configuration changes



| `CONFIG` option | AL2/4.14/aarch64 | AL2/4.14/x86\$164 | AL2/5.10/aarch64 | AL2/5.10/x86\$164 | AL2023/6.1/aarch64 | AL2023/6.1/x86\$164 | AL2023/6.12/aarch64 | AL2023/6.12/x86\$164 | AL2023/6.18/aarch64 | AL2023/6.18/x86\$164 | 
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | 
|  [`CONFIG_HZ`](#CONFIG_HZ)  |  100  |  250  |  100  |  250  |  100  |  100  |  100  |  100  |  100  |  100  | 
|  [`CONFIG_NR_CPUS`](#CONFIG_NR_CPUS)  |  4096  |  8192  |  4096  |  8192  |  4096  |  8192  |  4096  |  8192  |  4096  |  8192  | 
|  [`CONFIG_PANIC_ON_OOPS`](#CONFIG_PANIC_ON_OOPS)  |  y  |  n  |  y  |  n  |  y  |  y  |  y  |  y  |  y  |  y  | 
|  [`CONFIG_PANIC_ON_OOPS_VALUE`](#CONFIG_PANIC_ON_OOPS_VALUE)  |  1  |  0  |  1  |  0  |  1  |  1  |  1  |  1  | N/A | N/A | 
|  [`CONFIG_PPP`](#CONFIG_PPP)  |  m  |  m  |  m  |  m  |  m  |  m  |  m  |  m  |  m  |  m  | 
|  [`CONFIG_SLIP`](#CONFIG_SLIP)  |  m  |  m  |  m  |  m  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_XEN_PV`](#CONFIG_XEN_PV)  | N/A |  y  | N/A |  n  | N/A |  n  | N/A |  n  | N/A |  n  | 

### CONFIG\$1HZ


 AL2023 sets `CONFIG_HZ` to 100 on both `x86-64` and `aarch64` platforms. 

### CONFIG\$1NR\$1CPUS


 AL2023 sets `CONFIG_NR_CPUS` to a number closer to the maximum number of CPU cores found in Amazon EC2. 

### Panic on OOPS


 The AL2023 kernel will panic when it oopses. This feature is equivalent to booting with `oops=panic` on the kernel command line. 

 A kernel oops is where the kernel has detected an internal error which may affect the further reliability of the system. 

### PPP and SLIP Support


 AL2023 does not support the SLIP protocol but can support PPP protocol in latest AL2023 kernels. 

### Xen PV Guest Support


 AL2023 does not support running as a Xen PV guest. 

## Kernel Filesystem support


There have been several changes in the file systems that the kernel in AL2 will support mounting, along with changes in the partitioning schemes that the kernel will parse.


| `CONFIG` option | AL2/4.14/aarch64 | AL2/4.14/x86\$164 | AL2/5.10/aarch64 | AL2/5.10/x86\$164 | AL2023/6.1/aarch64 | AL2023/6.1/x86\$164 | AL2023/6.12/aarch64 | AL2023/6.12/x86\$164 | AL2023/6.18/aarch64 | AL2023/6.18/x86\$164 | 
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | 
|  [`CONFIG_AFS_FS`](#CONFIG_AFS_FS)  |  n  |  m  |  n  |  m  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_AF_RXRPC`](#CONFIG_AF_RXRPC)  |  n  |  m  |  n  |  m  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_BSD_DISKLABEL`](#CONFIG_BSD_DISKLABEL)  |  y  |  y  |  y  |  y  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_CRAMFS`](#CONFIG_CRAMFS)  |  m  |  m  |  m  |  m  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_CRAMFS_BLOCKDEV`](#CONFIG_CRAMFS_BLOCKDEV)  | N/A | N/A |  y  |  n  | N/A | N/A | N/A | N/A | N/A | N/A | 
|  [`CONFIG_DM_CLONE`](#CONFIG_DM_CLONE)  | N/A | N/A |  n  |  n  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_DM_ERA`](#CONFIG_DM_ERA)  |  m  |  n  |  m  |  n  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_DM_INTEGRITY`](#CONFIG_DM_INTEGRITY)  |  n  |  m  |  n  |  m  |  m  |  m  |  m  |  m  |  m  |  m  | 
|  [`CONFIG_DM_LOG_WRITES`](#CONFIG_DM_LOG_WRITES)  |  n  |  n  |  m  |  m  |  m  |  m  |  m  |  m  |  m  |  m  | 
|  [`CONFIG_DM_SWITCH`](#CONFIG_DM_SWITCH)  |  m  |  n  |  m  |  n  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_DM_VERITY`](#CONFIG_DM_VERITY)  |  m  |  n  |  m  |  n  |  m  |  m  |  m  |  m  |  m  |  m  | 
|  [`CONFIG_ECRYPT_FS`](#CONFIG_ECRYPT_FS)  |  n  |  m  |  n  |  m  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_EXFAT_FS`](#CONFIG_EXFAT_FS)  | N/A | N/A |  m  |  m  |  m  |  m  |  m  |  m  |  m  |  m  | 
|  [`CONFIG_EXT2_FS`](#CONFIG_EXT2_FS)  |  n  |  m  |  n  |  m  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_EXT3_FS`](#CONFIG_EXT3_FS)  |  n  |  m  |  n  |  m  |  n  |  n  |  n  |  n  | N/A | N/A | 
|  [`CONFIG_GFS2_FS`](#CONFIG_GFS2_FS)  |  m  |  m  |  m  |  m  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_HFSPLUS_FS`](#CONFIG_HFSPLUS_FS)  |  n  |  m  |  n  |  m  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_HFS_FS`](#CONFIG_HFS_FS)  |  n  |  m  |  n  |  m  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_JFS_FS`](#CONFIG_JFS_FS)  |  n  |  n  |  n  |  n  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_LDM_PARTITION`](#CONFIG_LDM_PARTITION)  |  n  |  y  |  n  |  y  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_MAC_PARTITION`](#CONFIG_MAC_PARTITION)  |  n  |  y  |  n  |  y  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_NFS_V2`](#CONFIG_NFS_V2)  |  n  |  m  |  n  |  m  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_NTFS_FS`](#CONFIG_NTFS_FS)  |  n  |  m  |  n  |  n  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_ROMFS_FS`](#CONFIG_ROMFS_FS)  |  n  |  m  |  n  |  m  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_SOLARIS_X86_PARTITION`](#CONFIG_SOLARIS_X86_PARTITION)  |  n  |  y  |  n  |  y  |  n  |  n  |  n  |  n  |  n  |  n  | 
|  [`CONFIG_SQUASHFS_ZSTD`](#CONFIG_SQUASHFS_ZSTD)  |  n  |  y  |  n  |  y  |  y  |  y  |  y  |  y  |  y  |  y  | 
|  [`CONFIG_SUN_PARTITION`](#CONFIG_SUN_PARTITION)  |  n  |  y  |  n  |  y  |  n  |  n  |  n  |  n  |  n  |  n  | 

### Andrew File System support (AFS)


The kernel is no longer built with support for the `afs` file system. AL2 did not ship with user-space support for `afs`.

### cramfs support


 The kernel is no longer built with support for the `cramfs` file system. The successor in AL2023 is the `squashfs` file system. 

### BSD disklabel support


 The kernel is no longer built with support for BSD disk labels. If reading volumes with BSD disk labels is required, various BSDs can be launched. 

### Device Mapper changes


 There have been several changes to the Device Mapper targets configured in the AL2023 kernel. 

### eCryptFs support


 The `ecryptfs` file system has been deprecated in Amazon Linux. The user-space components of `ecryptfs` were present in AL1, removed in AL2, and AL2023 no longer builds the kernel with `ecryptfs` support. 

### exFAT


 Support for the `exFAT` file system was added in the 5.10 kernel in AL2. It was not present at AL2 launch with a 4.14 kernel. AL2023 continues to support the `exFAT` file system. 

### The ext2, ext3, and ext4 file systems


 AL2023 ships with the `CONFIG_EXT4_USE_FOR_EXT2` option, which means that the `ext4` file system code will be used to read legacy `ext2` file systems. 

### CONFIG\$1GFS2\$1FS


 The kernel is no longer built with CONFIG\$1GFS2\$1FS. 

### Apple Extended HFS file system support (HFS\$1)


 In AL2, only the `x86-64` kernels were built with the `hfsplus` file system support. The AL2 5.15 kernel does not include `hfsplus` support on any architecture. In AL2023, we complete the deprecation of `hfsplus` support in Amazon Linux. 

### HFS file system support


 In AL2, only the `x86-64` kernels were built with the `hfs` file system support. The AL2 5.15 kernel does not include `hfs` support on any architecture. In AL2023, we complete the deprecation of `hfs` support in Amazon Linux. 

### JFS file system support


 Older AL2 `x86-64` kernels were built with `jfs` file system support. The AL2 5.15 kernel does not include `jfs` support on any architecture. Neither AL1 or AL2 shipped with JFS userspace. In AL2023, we complete the deprecation of `jfs` support in Amazon Linux. 

 The upstream Linux kernel is [considering the removal of `JFS`](https://lore.kernel.org/lkml/Y8DvK281ii6yPRcW@infradead.org/). Therefore, if you have data on a `JFS` file system, you should migrate it to another file system. In 2024, `JFS` was removed from all current Amazon Linux kernels. 

### Windows Logical Disk Manager (Dynamic Disk) support (`CONFIG_LDM_PARTITION`)


 AL2023 no longer supports Windows 2000, Windows XP, or Windows Vista *dynamic disks* with MS-DOS style partitions. This code did not ever support the newer GPT based dynamic disks introduced with Windows Vista. 

### Macintosh partition map support


 AL2023 no longer supports the classic Macintosh partition map. Modern macOS versions will create modern GPT partition tables by default over this older type. 

### NFSv2 support


 AL2023 no longer supports NFSv2, but continues to support NFSv3, NFSv4, NFSv4.1, and NFSv4.2. We recommend that you migrate to NFSv3 or newer. 

### NTFS (`CONFIG_NTFS_FS`)


 The `ntfs3` code replaced `ntfs` for accessing NTFS file systems on Amazon Linux as of the 5.10 kernel in AL2. AL2023 no longer includes the `ntfs` code, and relies exclusively on the `ntfs3` code for accessing NTFS file systems. 

### romfs file system


 The `squashfs` file system is the successor of the `romfs` file system in Amazon Linux, and the AL2023 kernel is no longer built with support for `romfs`. 

### Solaris x86 hard disk partition format


 AL2023 no longer supports the Solaris x86 hard disk partition format. 

### `squashfs` zstd compression


 AL2023 adds support for zstd compressed `squashfs` file systems on all supported architectures. 

### Sun partition table support


 AL2023 no longer includes support for the Sun partition table format (`CONFIG_SUN_PARTITION`). 

# `/tmp` is now `tmpfs`
`/tmp` changes

 Amazon Linux 2023 introduces changes to how `/tmp` behaves when compared to Amazon Linux 2. The default configuration for AL2 was that both `/tmp` and `/var/tmp` were on the root file system. Amazon Linux 2023 defaults to using `tmpfs` for `/tmp` with a limit of 50% of RAM and a maximum of one million inodes. These changes bring Amazon Linux in line with the behavior of other Linux distributions. 

 For full details of the file system layout of AL2023, see [`/tmp`](filesystem-slash-tmp.md) and [`/var/tmp`](filesystem-slash-var.md#filesystem-slash-var-tmp) in the [Filesystem Layout](filesystem.md) section. 

# AMI and Container Image changes


 There have been some changes to the packages included in AMIs and containers. 

**Topics**

 Amazon Linux 2023 introduces a [AL2023 Minimal container image](minimal-container.md), and support for building [Building bare-bones AL2023 container images](barebones-containers.md). For more information, see [Using AL2023 in containers](container.md). 

# Comparing packages installed on Amazon Linux 2 and Amazon Linux 2023 AMIs
Amazon Linux 2 and AL2023 AMI comparison

A comparison of the RPMs present on the Amazon Linux 2 and AL2023 standard AMIs.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/linux/al2023/ug/amzn2-al2023-ami.html)

# Comparing packages installed on Amazon Linux 2 and Amazon Linux 2023 Minimal AMIs
Amazon Linux 2 and AL2023 Minimal AMI comparison

A comparison of the RPMs present on the Amazon Linux 2 and AL2023 Minimal AMIs.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/linux/al2023/ug/amzn2-al2023-minimal-ami.html)

# Comparing packages installed on Amazon Linux 2 and Amazon Linux 2023 base container images
Amazon Linux 2 and AL2023 Container comparison

A comparison of the RPMs present on the Amazon Linux 2 and AL2023 base container images.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/linux/al2023/ug/amzn2-al2023-container.html)