# Updating AL2023
It's important to keep up to date with AL2023 releases so that you can benefit from security updates and new features. With AL2023, you can ensure consistency between package versions and updates across your environment through [Deterministic upgrades through versioned repositories on AL2023](deterministic-upgrades.md).
**Warning**
Running `dnf --releasever=latest update` is not best practice, and is likely to result in an OS update being first tested in production.
Instead of using `latest`, use a specific AL2023 release version. This ensures you are deploying the same changes across production instances as you previously tested. For example, `dnf --releasever=2023.11.20260413 update` will always update to the 2023.11.20260413 release.
For more information, see the [Updating AL2023](https://docs.aws.amazon.com/linux/al2023/ug/updating.html) section in the [AL2023 User Guide](https://docs.aws.amazon.com/linux/al2023/ug/).
**Topics**
+ [Best practices for safely deploying updates](updating-best-practice.md)
+ [Receive notifications on new updates](receive-update-notification.md)
+ [Deterministic upgrades through versioned repositories on AL2023](deterministic-upgrades.md)
+ [Manage package and operating system updates in AL2023](managing-repos-os-updates.md)
+ [Kernel Live Patching on AL2023](live-patching.md)
+ [Updating the Linux Kernel on AL2023](kernel-update.md)
# Best practices for safely deploying updates
Amazon Linux 2023 (AL2023) has several features designed to aid in safely deploying updates to the Operating System, and being able to know what changed between updates, and if necessary, easily revert to the older version. This section explores lessons learned by AWS from more than a decade of internal and external use of Amazon Linux.
**Warning**
Running `dnf --releasever=latest update` is not best practice, and is likely to result in an OS update being first tested in production.
Instead of using `latest`, use a specific AL2023 release version. This ensures you are deploying the same changes across production instances as you previously tested. For example, `dnf --releasever=2023.11.20260413 update` will always update to the 2023.11.20260413 release.
For more information, see the [Updating AL2023](https://docs.aws.amazon.com/linux/al2023/ug/updating.html) section in the [AL2023 User Guide](https://docs.aws.amazon.com/linux/al2023/ug/).
Without planning for deployment safety of OS updates, the impact of an unexpected negative interaction between your application/service and an OS update can be significantly greater, up to and including a total outage. As with any software issue, the earlier the issue is detected, the less impact it can have on end users.
It is important to not fall into the trap of believing two things which are fundamentally not true:
1. The OS vendor will never make a mistake in an update to the OS.
1. The specific behavior of or interface to the OS that you rely on matches behavior and interfaces that the OS vendor would consider something to be relied upon.
i.e. both the OS vendor and you would agree that there was a problem with the update.
Do not rely on good intentions, put systems in place to ensure that deployment safety *includes* any update to the OS.
It is not recommended to test new OS updates by deploying to production environments. It is best practice to consider the OS as another part of your deployment, and think about applying the same deployment safety mechanisms you consider suitable for any other change to a production environment.
It is best practice to test any and all OS updates before deploying to production systems. When deploying, staged rollouts combined with good monitoring are recommended. Staged rollouts can ensure that if a problem occurs, even if not immediate, impact is restricted to a subset of a fleet, and further deployment of the update can be halted while further investigation and mitigation can occur.
The mitigation of any negative impact of taking an update to the OS is often the first priority, followed by resolving the issue, wherever it may be. Where the introduction of an OS update is correlated to negative impact, the ability to revert to the previous known-good version of the OS is a powerful tool to have.
Amazon Linux 2023 introduces [Deterministic upgrades through versioned repositories](deterministic-upgrades.md), a powerful new feature to ensure any change to the version of the OS (or individual packages) is repeatable. Thus, if a problem is encounted when moving from one OS version to the next, there are simple to use mechanisms available to stick to the known-working OS version while working out how to resolve the problem.
With AL2023, whenever we release new package updates, there's a new version to lock to, and new AMIs that lock to that version. The [AL2023 Release Notes](https://docs.aws.amazon.com/linux/al2023/release-notes/) cover changes in each release, and [Amazon Linux Security advisories for AL2023](alas.md) covers security issues addressed in package updates.
For example, if you were affected by the issue present in the [2023.6.20241028](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.6.20241028.html) release, you could immediately revert to using the AMIs and container images of the prior release, [2023.6.20241010](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.6.20241010.html). In this case, there was a bug in a package that was fixed in the subsequent [2023.6.20241031](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.6.20241031.html) release, but with [Deterministic upgrades through versioned repositories](deterministic-upgrades.md) anyone affected could *immediately* take simple action to mitigate: just use the previous images.
[Deterministic upgrades through versioned repositories](deterministic-upgrades.md) also gives assurance that any in-progress deployment of an OS update, either in place or by launching new AMIs or container images, are not affected by subsequently released OS updates.
For our first example, fleet A is a large fleet which is halfway through deploying the update from [2023.5.20241001](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.5.20241001.html) to the [2023.6.20241010](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.6.20241010.html) release when the [2023.6.20241028](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.6.20241028.html) release comes out. [Deterministic upgrades through versioned repositories](deterministic-upgrades.md) means that the deployment for fleet A continues without any change to what updates it is applying.
The purpose of wave based or phase based deployment strategies such as first deploying to 1% of a fleet, then 5%, 10%, 20%, 40%, until reaching 100%, is to be able to test a change in a limited fashion before rolling it out wider. This type of deployment strategy is commonly considered best practice for deploying any production change.
With a wave based deployment strategy and the fleet A update to [2023.6.20241010](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.6.20241010.html) being at a stage where it's being deployed to a lot of hosts at once, the fact that [2023.6.20241028](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.6.20241028.html) was released has *no impact on the in-progress deployment* thanks to using [Deterministic upgrades through versioned repositories](deterministic-upgrades.md).
If fleet B was running an older version, say [2023.5.20240708](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.5.20240708.html), and had started deploying the update to [2023.6.20241028](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.6.20241028.html), and fleet B was affected by the issue in that version, this would be noticed early in the deployment. At that point, a decision can be made on if to pause any rollout until a fix for that issue is available, or if in the meantime to start a deployment of the same version fleet A was running, [2023.6.20241010](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.6.20241010.html) so that fleet B gets all the updates between [2023.5.20240708](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.5.20240708.html) and [2023.6.20241010](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.6.20241010.html).
It is important to note that *not* taking OS updates promptly can cause issues. New updates likely contain bug and security fixes which may be relevant to your environment. For more information, see [Security and Compliance in Amazon Linux 2023](security.md) and [Manage package and operating system updates in AL2023](managing-repos-os-updates.md).
It is important to configure your deployment systems to be able to easily take new OS updates, test them before deploying to production, and use mechanisms such as wave based deployments to minimize any negative impact. In order to be able to mitigate any negative impact of an OS update, it is important to know how to make your deployment systems point to a previous known-good version of the OS, and once the issue is addressed, no longer be locked to the older known-good version but rather move to a new known-good version.
## Preparing for Minor Updates
Preparing for smaller updates to the OS, such as a new point release of AL2023 is intended to be limited to zero effort. Be sure to read the [AL2023 Release Notes](https://docs.aws.amazon.com/linux/al2023/release-notes/) for any upcoming changes.
The [support period of a package](https://docs.aws.amazon.com/linux/al2023/release-notes/support-info-by-support-statement.html) coming to an end may involve moving to a newer version of the language runtime (such as with [PHP in AL2023](php.md)). It is best practice to prepare for this in advance by moving to new language run time versions comfortably in advance of the support period ending.
For packages such as [`pcre` version 1](deprecated-al2023.md#deprecated-pcre), there is also the opportunity to plan in advance and migrate any of your code to its replacement, which in this case is `pcre` version 2. It is best practice to do so as soon as possible, to allow time for any setbacks.
Where there is no direct replacement, such as with [Berkeley DB (`libdb`)](deprecated-al2023.md#deprecated-bdb), you may need to make a choice based on your use case.
## Preparing for Major Updates
Updating to a new major version of an Operating System is near universally viewed as something which requires planning, work to adapt to changed or deprecated functionality, and also testing prior to deployment. It is not uncommon to be able to prepare for the next major version of Amazon Linux 2023 more incrementally, such as addressing any use of deprecated or removed functionality before proceeding with moving to the next major version.
For example, when moving from AL2 to AL2023, reading the [Functionality deprecated in AL2 and removed in AL2023](deprecated-al2.md) section can result in a number of safe and small steps which can happen while still using AL2 to prepare for AL2023. For example, any [Python 2.7 has been replaced with Python 3](python2.7-no-more.md) usage (outside of OS use such as in the `yum` package manager) can be migrated to Python 3 in preparation for using [Python in AL2023](python.md). If using [PHP](php.md), both AL2 (through the PHP 8.2 [AL2 Extra](https://docs.aws.amazon.com/linux/al2/ug/al2-extras.html)) and AL2023 ship PHP 8.2, and thus both PHP version migration and OS migration do not have to occur simultaneously.
While using AL2023, it is also possible to prepare for the next major version of Amazon Linux 2023 today, while using AL2023. The [Deprecated in AL2023](deprecated-al2023.md) section covers features and packages which are deprecated in AL2023 and due to be removed.
For example, migrating any remaining [System V init (`sysvinit`)](deprecated-al2023.md#deprecated-sysv-init) use, such as `init` scripts over to their `systemd` equivalent will prepare you for the future, as well as allow you to use the full set of `systemd` features to monitor the service, how and if to restart it, what other services it needs, and if any resource or permission constraints should be applied.
For features such as 32-bit support, deprecation can span multiple major versions of the OS. For 32-bit, Amazon Linux 1 (AL1) deprecated [32-bit x86 (i686) AMIs](deprecated-al1.md#deprecated-32bit-amis), Amazon Linux 2 deprecated [32-bit x86 (i686) Packages](deprecated-al2.md#deprecated-32bit-rpms), and Amazon Linux 2023 deprecates [32bit x86 (i686) runtime support](deprecated-al2023.md#deprecated-32bit). The transition away from [IMDSv1](deprecated-al2023.md#deprecated-imdsv1) also spans multiple major versions of the OS. For these types of changes, it is understood that some customers require a longer time to adapt to them, thus there is a large amount of leeway before the functionality is no longer available in Amazon Linux 2023.
The list of deprecated functionality is updated over the lifetime of the OS, and it is advisable to keep up to date with changes to it.
# Receive notifications on new updates
You can receive notifications whenever a new AL2023 AMI is released. Notifications are published with [Amazon SNS](https://aws.amazon.com/sns/) using the following topic.
```
arn:aws:sns:us-east-1:137112412989:amazon-linux-2023-ami-updates
```
Messages are posted here when a new AL2023 AMI is published. The version of the AMI will be included in the message.
These messages can be received using several different methods. We recommend that you use the following method.
1. Open the [Amazon SNS console](https://console.aws.amazon.com/sns/v3/home).
1. In the navigation bar, change the AWS Region to **US East (N. Virginia)**, if necessary. You must select the Region where the SNS notification that you're subscribing to was created.
1. In the navigation pane, choose **Subscriptions**, **Create subscription**.
1. For the **Create subscription** dialog box, do the following:
1. For **Topic ARN**, copy and paste the following **Amazon Resource Name** (ARN): **arn:aws:sns:us-east-1:137112412989:amazon-linux-2023-ami-updates**.
1. For **Protocol**, choose **Email**.
1. For **Endpoint**, enter an email address that you can use to receive the notifications.
1. Choose **Create subscription**.
1. You receive a confirmation email with the subject line "AWS Notification - Subscription Confirmation". Open the email and choose **Confirm subscription** to complete your subscription.
# Deterministic upgrades through versioned repositories on AL2023
**Note**
By default, your AL2023 instance doesn't automatically receive additional critical and important security updates at launch. Your instance initially contains the updates that were available in the version of AL2023 and the chosen AMI.
## Control the updates received from major and minor releases
With AL2023, you can ensure consistency between package versions and updates across your environment. You can also ensure consistency for multiple instances of the same Amazon Machine Image (AMI). With the deterministic upgrades through versioned repositories feature, which is turned on by default, you can apply updates based on a schedule that meets your specific needs.
Whenever we release new package updates, there's a new version to lock to, and new AMIs that lock to that version.
AL2023 locks to a specific version of your repository. This is supported for both major or minor versions. The AL2023 AMI, exposed through our SSM parameters, is always the latest version. It has the most up-to-date packages and updates, including critical and important security updates.
If you launch an instance from an existing AMI, updates aren't automatically applied. Any additional packages that are installed as part of your provisioning map to the repository version of the existing AMI.
With this feature, you're in charge of ensuring consistency among package versions and updates across your environment. This is particularly the case if you're launching multiple instances from the same AMI. You can apply updates based on a schedule that meets your needs. You can also apply a specific set of updates on launch because these can also be locked to a specific repository version.
## Differences between minor and major version upgrades
Major version releases of AL2023 include large-scale updates and might add, delete, or update packages. To ensure compatibility, upgrade your instance to a new major version only after you test your application on that version.
Minor version releases of AL2023 include feature and security updates, but don't include package changes. This ensures that Linux features and the system library API stay available on new versions. Testing your application before updating isn't necessary.
## Knowing when updates are available
In order to apply an update, you need to know that one is available, and then know how to deploy the update.
For building derived AMIs when new AL2023 AMIs are released, [EC2 Image Builder](https://docs.aws.amazon.com/imagebuilder/latest/userguide/) can automatically build, patch, and test AMIs. To trigger your own AMI building pipelines, or to use the base AMIs, you can [Receive notifications on new updates](receive-update-notification.md).
For patching in-place, you can use tools such as [AWS Systems Manager Patch Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager.html) to orchestrate applying updates across a fleet.
For other public AMIs based on AL2023, the providers of those AMIs may have their own release schedule and notification methods. When using derived AMIs or container images, check the documentation from the publisher as to when updates are released.
The changes in each release are documented in the [AL2023 release notes](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes.html). Security updates are published on [Amazon Linux Security Center (ALAS)](https://alas.aws.amazon.com).
## Control the package updates available from the AL2023 repositories
When we publish a new version of the AL2023 repositories, all previous versions are still available. By default, the plugin for managing repository versions locks to the same version that was used to build the AMI. If you want to control package updates, follow these steps.
1. Discover available repository versions by running the following command.
```
$ sudo dnf check-release-update
```
1. Select a version by running the following command.
```
$ sudo dnf upgrade --releasever=version
```
This command starts an update using `dnf` from your current Amazon Linux release version to the release version that's specified in the command line. A list of the package updates is presented by `dnf`. Before the update is processed, you must confirm the update. After the update is complete, the new release version becomes the default release version that `dnf` uses for all future activities.
For more information, see [Manage package and operating system updates in AL2023](managing-repos-os-updates.md).
# Deterministic updates via instance replacement
The [Deterministic upgrades through versioned repositories on AL2023](deterministic-upgrades.md) feature of Amazon Linux 2023 makes instance replacement an easy way to deterministically and safely roll out updated versions of AL2023. Deterministic updates mean that as a new version is progressively rolled out, if any issue is found, it's simple to revert to the previous AMI while determining the cause of the issue.
Using instance replacement rather than patching in-place means that updates are more deterministic and predictable as launching new capacity can be a well tested code-path with clear A and B states. Each of the before and after states can be well tested in a CI/CD system before deployment starts.
When doing in-place patching, there are a lot of intermediary states between before and after applying updates, which is harder to test for all combinations of states.
An OS update strategy of using instance replacement with deterministic updates fits well into blue/green, wave, and phase based deployment models.
# Using Deterministic upgrades through versioned repositories
**Topics**
+ [Using a deterministic upgraded system](#using-a-deterministic-upgraded-system)
+ [Selective update of a deterministic upgraded system](#deterministic-upgrade-selective-update)
+ [Using persistent override with deterministic upgrade](#deterministic-upgrade-override-persist)
## Using a deterministic upgraded system
**Note**
The default behavior of the package manager has changed from AL2.
Deterministic upgrades are a powerful way to ensure all changes to production environments can be fully tested before wide deployment. Each new AL2023 AMI is locked to a particular version of AL2023. This provides deterministic behavior of what versions of OS packages are installed when launching the specific AMI. In-place updates can be to a specific release version, ensuring deterministic behavior across a fleet. As you move to new AMIs or in-place update versions, you can test each one in your CI/CD pipeline, catching any potential issues before deploying to production environments.
You can use tools such as [AWS Systems Manager Patch Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager.html) to orchestrate applying updates across a fleet. For building derived AMIs when new AL2023 AMIs are released, [EC2 Image Builder](https://docs.aws.amazon.com/imagebuilder/latest/userguide/) can automatically build, patch, and test AMIs, or you can [Receive notifications on new updates](receive-update-notification.md) to know when new base AMIs are available, or to trigger your own AMI building pipelines.
For information on restricting updates to those from a particular advisory, see [Applying security updates in-place](security-inplace-update.md)
For patching in-place, you can use the `dnf` package manager. When you run the `dnf upgrade` command, the system checks for upgrades in the repository that the `releasever` variable specifies. A valid `releasever` is either *latest* or a date-stamped version such as *2023.11.20260413*.
You can change the value of `releasever` using one of the following methods. These methods are listed in descending system priority. This means that method 1 overrides methods 2 and 3, and method 2 overrides method 3.
1. The value in the command line flag, `--releasever=latest`, if it's used.
1. The value that's specified in the override variable file, `/etc/dnf/vars/releasever`, if it's set.
1. The currently installed version of the `system-release` package.
In the following example, the version is *2023.0.20230210*:
```
$ rpm -q system-release
system-release-2023.0.20230210-0.amzn2023.noarch
```
In a newly installed system, the override variable is not present. No upgrades are available because the system is locked to the installed version of `system-release`.
```
$ cat /etc/dnf/vars/releasever
cat: /etc/dnf/vars/releasever: No such file or directory
```
```
$ sudo dnf upgrade
Last metadata expiration check: 0:00:02 ago on Wed 15 Feb 2023 06:14:12 PM UTC.
Dependencies resolved.
Nothing to do.
Complete!
```
You can get packages of a specific version by using the `releasever` flag to provide the version that you want.
```
$ rpm -q system-release
system-release-2023.0.20230222-0.amzn2023.noarch
```
```
$ sudo dnf upgrade --releasever=2023.0.20230329
Amazon Linux 2023 repository 26 MB/s | 12 MB 00:00
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
kernel aarch64 6.1.21-1.45.amzn2023 amazonlinux 26 M
Upgrading:
amazon-linux-repo-s3 noarch 2023.0.20230329-0.amzn2023 amazonlinux 18 k
ca-certificates noarch 2023.2.60-1.0.amzn2023.0.1 amazonlinux 828 k
cloud-init noarch 22.2.2-1.amzn2023.1.7 amazonlinux 1.1 M
... [ list edited for clarity ]
system-release noarch 2023.0.20230329-0.amzn2023 amazonlinux 29 k
... [ list edited for clarity ]
vim-data noarch 2:9.0.1403-1.amzn2023.0.1 amazonlinux 25 k
vim-minimal aarch64 2:9.0.1403-1.amzn2023.0.1 amazonlinux 753 k
Transaction Summary
================================================================================
Install 1 Package
Upgrade 42 Packages
Total download size: 56 M
```
Because the `--releasever` option overrides both `system-release` and `/etc/dnf/vars/releasever`, the result of this upgrade is the following:
1. The upgrade replaces all installed packages that changed between the previous and new versions.
1. The upgrade locks the system to the repository for the new version of `system-release`.
By always specifying what `releasever` (i.e. AL2023 release) to update to, you have a deterministic set of changes across a fleet. You launched version *A*, updated to *B*, and then updated to *C*.
## Selective update of a deterministic upgraded system
**Note**
We recommend that all updates in a new release are installed rather than selecting specific updates. Only applying part of an update to the OS should be an exception to standard practice of taking the whole update.
You might want to install selected packages from a recent release, while leaving the system locked to the original release version.
You can use `dnf check-update` to identify the packages that you want to upgrade.
```
$ sudo dnf check-update --releasever=latest --security
Amazon Linux 2023 repository 13 MB/s | 10 MB 00:00
Last metadata expiration check: 0:00:02 ago on Wed 15 Feb 2023 02:52:21 AM UTC.
bind-libs.aarch64 32:9.16.27-1.amzn2023.0.1 amazonlinux
bind-license.noarch 32:9.16.27-1.amzn2023.0.1 amazonlinux
bind-utils.aarch64 32:9.16.27-1.amzn2023.0.1 amazonlinux
cryptsetup.aarch64 2.4.3-2.amzn2023.0.1 amazonlinux
cryptsetup-libs.aarch64 2.4.3-2.amzn2023.0.1 amazonlinux
curl-minimal.aarch64 7.85.0-1.amzn2023.0.1 amazonlinux
glibc.aarch64 2.34-40.amzn2023.0.2 amazonlinux
glibc-all-langpacks.aarch64 2.34-40.amzn2023.0.2 amazonlinux
glibc-common.aarch64 2.34-40.amzn2023.0.2 amazonlinux
glibc-locale-source.aarch64 2.34-40.amzn2023.0.2 amazonlinux
gmp.aarch64 1:6.2.1-2.amzn2023.0.1 amazonlinux
gnupg2-minimal.aarch64 2.3.7-1.amzn2023.0.2 amazonlinux
gzip.aarch64 1.10-5.amzn2023.0.1 amazonlinux
kernel.aarch64 6.1.12-17.42.amzn2023 amazonlinux
kernel-tools.aarch64 6.1.12-17.42.amzn2023 amazonlinux
libarchive.aarch64 3.5.3-2.amzn2023.0.1 amazonlinux
libcurl-minimal.aarch64 7.85.0-1.amzn2023.0.1 amazonlinux
libsepol.aarch64 3.4-3.amzn2023.0.2 amazonlinux
libsolv.aarch64 0.7.22-1.amzn2023.0.1 amazonlinux
libxml2.aarch64 2.9.14-1.amzn2023.0.1 amazonlinux
logrotate.aarch64 3.20.1-2.amzn2023.0.2 amazonlinux
lua-libs.aarch64 5.4.4-3.amzn2023.0.1 amazonlinux
lz4-libs.aarch64 1.9.4-1.amzn2023.0.1 amazonlinux
openssl.aarch64 1:3.0.5-1.amzn2023.0.3 amazonlinux
openssl-libs.aarch64 1:3.0.5-1.amzn2023.0.3 amazonlinux
pcre2.aarch64 10.40-1.amzn2023.0.1 amazonlinux
pcre2-syntax.noarch 10.40-1.amzn2023.0.1 amazonlinux
rsync.aarch64 3.2.6-1.amzn2023.0.2 amazonlinux
vim-common.aarch64 2:9.0.475-1.amzn2023.0.1 amazonlinux
vim-data.noarch 2:9.0.475-1.amzn2023.0.1 amazonlinux
vim-enhanced.aarch64 2:9.0.475-1.amzn2023.0.1 amazonlinux
vim-filesystem.noarch 2:9.0.475-1.amzn2023.0.1 amazonlinux
vim-minimal.aarch64 2:9.0.475-1.amzn2023.0.1 amazonlinux
xz.aarch64 5.2.5-9.amzn2023.0.1 amazonlinux
xz-libs.aarch64 5.2.5-9.amzn2023.0.1 amazonlinux
zlib.aarch64 1.2.11-32.amzn2023.0.3 amazonlinux
```
Install the packages that you want to upgrade. Use `sudo dnf upgrade --releasever=latest` and the package names to ensure that the `system-release` package remains unchanged.
```
$ sudo dnf upgrade --releasever=latest openssl openssl-libs
Last metadata expiration check: 0:01:28 ago on Wed 15 Feb 2023 02:52:21 AM UTC.
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Upgrading:
openssl aarch64 1:3.0.5-1.amzn2023.0.3 amazonlinux 1.1 M
openssl-libs aarch64 1:3.0.5-1.amzn2023.0.3 amazonlinux 2.1 M
Transaction Summary
================================================================================
Upgrade 2 Packages
Total download size: 3.2 M
```
**Note**
Using `sudo dnf upgrade --releasever=latest` updates all packages, including `system-release`. Then, the version remains locked to the new `system-release` unless you set the persistent override.
## Using persistent override with deterministic upgrade
**Note**
With deterministic updates, you can integrate OS changes into your CI/CD pipeline. Disabling deterministic updates removes the ability to test before deploying.
Instead of adding `--releasever=latest`, you can use persistent override to *unlock* the system by setting the variable value to *latest*. By always using `latest`, this reverts the behavior of AL2023 to the AL2 update model, where any call to the package manager will *always* look at the latest release, and is not locked to any specific version of the OS.
**Warning**
By unlocking the package manager by using a persistent override of deterministic updates, you take the risk discovering any possible incompatibility between your application and an OS update in production.
While incompatibilites *are* rare, with an OS update you are integrating new code changes into your environment, integration tests can prevent deploying code changes that have a negative impact on production environments.
```
$ echo latest | sudo tee /etc/dnf/vars/releasever
latest
```
```
$ sudo dnf upgrade
Last metadata expiration check: 0:03:36 ago on Wed 15 Feb 2023 02:52:21 AM UTC.
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
kernel aarch64 6.1.73-45.135.amzn2023 amazonlinux 24 M
Upgrading:
acl aarch64 2.3.1-2.amzn2023.0.1 amazonlinux 72 k
alternatives aarch64 1.15-2.amzn2023.0.1 amazonlinux 36 k
amazon-ec2-net-utils noarch 2.3.0-1.amzn2023.0.1 amazonlinux 16 k
at aarch64 3.1.23-6.amzn2023.0.1 amazonlinux 60 k
attr aarch64 2.5.1-3.amzn2023.0.1 amazonlinux 59 k
audit aarch64 3.0.6-1.amzn2023.0.1 amazonlinux 249 k
audit-libs aarch64 3.0.6-1.amzn2023.0.1 amazonlinux 116 k
aws-c-auth-libs aarch64 0.6.5-6.amzn2023.0.2 amazonlinux 79 k
aws-c-cal-libs aarch64 0.5.12-7.amzn2023.0.2 amazonlinux 34 k
aws-c-common-libs aarch64 0.6.14-6.amzn2023.0.2 amazonlinux 119 k
aws-c-compression-libs aarch64 0.2.14-5.amzn2023.0.2 amazonlinux 22 k
aws-c-event-stream-libs aarch64 0.2.7-5.amzn2023.0.2 amazonlinux 47 k
aws-c-http-libs aarch64 0.6.8-6.amzn2023.0.2 amazonlinux 147 k
aws-c-io-libs aarch64 0.10.12-5.amzn2023.0.6 amazonlinux 109 k
aws-c-mqtt-libs aarch64 0.7.8-7.amzn2023.0.2 amazonlinux 61 k
aws-c-s3-libs aarch64 0.1.27-5.amzn2023.0.3 amazonlinux 54 k
aws-c-sdkutils-libs aarch64 0.1.1-5.amzn2023.0.2 amazonlinux 26 k
aws-checksums-libs aarch64 0.1.12-5.amzn2023.0.2 amazonlinux 50 k
awscli-2 noarch 2.7.8-1.amzn2023.0.4 amazonlinux 7.3 M
basesystem noarch 11-11.amzn2023.0.1 amazonlinux 7.8 k
bash aarch64 5.1.8-2.amzn2023.0.1 amazonlinux 1.6 M
bash-completion noarch 1:2.11-2.amzn2023.0.1 amazonlinux 292 k
bc aarch64 1.07.1-14.amzn2023.0.1 amazonlinux 120 k
bind-libs aarch64 32:9.16.27-1.amzn2023.0.1 amazonlinux 1.2 M
bind-license noarch 32:9.16.27-1.amzn2023.0.1 amazonlinux 14 k
bind-utils aarch64 32:9.16.27-1.amzn2023.0.1 amazonlinux 206 k
binutils aarch64 2.38-20.amzn2023.0.3 amazonlinux 4.6 M
boost-filesystem aarch64 1.75.0-4.amzn2023.0.1 amazonlinux 55 k
boost-system aarch64 1.75.0-4.amzn2023.0.1 amazonlinux 14 k
boost-thread aarch64 1.75.0-4.amzn2023.0.1 amazonlinux 54 k
bzip2 aarch64 1.0.8-6.amzn2023.0.1 amazonlinux 53 k
bzip2-libs aarch64 1.0.8-6.amzn2023.0.1 amazonlinux 44 k
c-ares aarch64 1.17.2-1.amzn2023.0.1 amazonlinux 107 k
ca-certificates noarch 2021.2.50-1.0.amzn2023.0.3 amazonlinux 343 k
checkpolicy aarch64 3.4-3.amzn2023.0.1 amazonlinux 345 k
chkconfig aarch64 1.15-2.amzn2023.0.1 amazonlinux 162 k
chrony aarch64 4.2-7.amzn2023.0.4 amazonlinux 314 k
cloud-init noarch 22.2.2-1.amzn2023.1.7 amazonlinux 1.1 M
cloud-utils-growpart aarch64 0.31-8.amzn2023.0.2 amazonlinux 31 k
coreutils aarch64 8.32-30.amzn2023.0.2 amazonlinux 1.1 M
coreutils-common aarch64 8.32-30.amzn2023.0.2 amazonlinux 2.0 M
cpio aarch64 2.13-10.amzn2023.0.1 amazonlinux 269 k
cracklib aarch64 2.9.6-27.amzn2023.0.1 amazonlinux 83 k
cracklib-dicts aarch64 2.9.6-27.amzn2023.0.1 amazonlinux 3.6 M
crontabs noarch 1.11-24.20190603git.amzn2023.0.1
amazonlinux 19 k
crypto-policies noarch 20230128-1.gitdfb10ea.amzn2023.0.1
amazonlinux 61 k
crypto-policies-scripts noarch 20230128-1.gitdfb10ea.amzn2023.0.1
amazonlinux 81 k
...
Installing dependencies:
amazon-linux-repo-cdn noarch 2023.0.20230210-0.amzn2023 amazonlinux 16 k
xxhash-libs aarch64 0.8.0-3.amzn2023.0.1 amazonlinux 32 k
Installing weak dependencies:
amazon-chrony-config noarch 4.2-7.amzn2023.0.4 amazonlinux 14 k
gawk-all-langpacks aarch64 5.1.0-3.amzn2023.0.1 amazonlinux 207 k
Transaction Summary
================================================================================
Install 5 Packages
Upgrade 413 Packages
Total download size: 199 M
```
**Note**
If you used the override variable `/etc/dnf/vars/releasever`, use the following command to restore the default locking behavior by erasing the override value.
```
$ sudo rm /etc/dnf/vars/releasever
```
The use of a persistent override to using `latest` rather than a specfiic version is akin to the default behavior of AL2. There are services that build AMIs based on AL2 which disable this behavior, and lock to specific package versions like you get by default on AL2023.
Rather than disabling deterministic updates, we recommend replacing instances with ones launched from a new AMI. If instance replacement is not an option, we recommend using tools such as [AWS Systems Manager Patch Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager.html) to orchestrate applying updates across a fleet. [EC2 Image Builder](https://docs.aws.amazon.com/imagebuilder/latest/userguide/) can also automatically build, patch, and test your own AMIs derived from AL2023 base images. You can also [Receive notifications on new updates](receive-update-notification.md) which can be used to trigger your own AMI building pipelines.
Using `latest` in a pre-production environment, and then deploying to production using `latest` does *not* provide protection from any issue between an OS update and your application. A new AL2023 release can be at any point in time, and thus all uses of `latest` in production carry risk.
# Manage package and operating system updates in AL2023
Unlike previous versions of Amazon Linux, AL2023 AMIs are locked to a specific version of the Amazon Linux repository. To apply both security and bug fixes to an AL2023 instance, update the DNF configuration to the latest available release version. Alternatively, launch a newer AL2023 instance.
This section describes how to manage DNF packages and repositories on a running instance. It also describes how to configure DNF from a user data script to enable the latest available Amazon Linux repository at launch time. For more information, see [DNF Command Reference](https://dnf.readthedocs.io/en/latest/command_ref.html).
It is recommended to apply *all* updates available in a new AL2023 release. Picking just security updates, or only specific updates should be the exception rather than rule. For listing which [Security advisories](alas.md) are relevant to a particular instance, see [Listing applicable Advisories](listing-applicable-advisories.md). For information on installing *only* updates relevant to a specific [Advisory](alas.md), see [Applying security updates in-place](security-inplace-update.md).
**Important**
If you want to report a vulnerability or have a security concern regarding AWS cloud services or open source projects, contact AWS Security using the [Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/)
**Topics**
+ [Checking for available package updates](#dnf-package-updates)
+ [Applying security updates using DNF and repository versions](#apply-security-updates)
+ [Automatic service restart after (security) updates](#automatic-restart-services)
+ [When is a reboot required to apply security updates?](#reboot)
+ [Launching an instance with the latest repository version enabled](#launch-an-instance-repo-version)
+ [Getting package support information](#dnf-support-info-plugin)
+ [Checking for newer repository versions with `dnf check-release-update`](#dnf-repository-updates)
+ [Adding, enabling, or disabling new repositories](#dnf-repo-addition)
+ [Adding repositories with cloud-init](#cloud-init-repo-update)
## Checking for available package updates
You can use the `dnf check-update` command to check for any updates for your system. For AL2023, we recommend that you add the `--releasever=version-number` option to the command.
When you add this option, DNF also checks for updates for a later version of the repository. For example, after you run the `dnf check-update` command, use the latest returned version as the value for the `version-number`.
If the instance is updated to use the latest version of the repository, the output includes a list of all the packages to be updated.
**Note**
If you don't specify the release version with the optional flag to the `dnf check-update` command, only the currently configured repository version is checked. This means that packages in the later version of the repository aren't checked.
------
#### [ Updates in a specific version ]
In this example we are going to look at what updates are available in the [2023.1.20230628](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.1.20230628.html) release if we launched a container of the [2023.0.20230315](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.0.20230315.html) release.
**Note**
This example uses the [2023.0.20230315](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.0.20230315.html) and [2023.1.20230628](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.1.20230628.html) releases, and these *are not* the latest release of AL2023 See the [AL2023 Release Notes](https://docs.aws.amazon.com/linux/al2023/release-notes/) for the latest releases, which contain the latest security updates.
In this example we will be starting with a container image for the [2023.0.20230315](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.0.20230315.html) release.
First, we fetch this container image from the container registry. The `.0` at the end indicates the version of the image for a particular release; this image version is usually zero.
```
$ docker pull public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0
2023.0.20230315.0: Pulling from amazonlinux/amazonlinux
b76f3b09316a: Pull complete
Digest: sha256:94e7183b0739140dbd5b639fb7600f0a2299cec5df8780c26d9cb409da5315a9
Status: Downloaded newer image for public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0
public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0
```
We can now spawn a shell inside the container, from which we will check for updates.
```
$ docker run -it public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0
bash-5.2#
```
The `dnf check-update` command is now used to check updates available in the [2023.1.20230628](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.1.20230628.html) release.
**Note**
Applying package updates is a privileged operation. Although elevating privileges is typically not required when running in a container, if running in a non-containerized environment such as an Amazon EC2 instance, you can *check* for updates without elevating privileges.
```
$ dnf check-update --releasever=2023.1.20230628
Amazon Linux 2023 repository 60 MB/s | 15 MB 00:00
Last metadata expiration check: 0:00:02 ago on Mon Jul 22 17:25:34 2024.
amazon-linux-repo-cdn.noarch 2023.1.20230628-0.amzn2023 amazonlinux
ca-certificates.noarch 2023.2.60-1.0.amzn2023.0.2 amazonlinux
curl-minimal.x86_64 8.0.1-1.amzn2023 amazonlinux
glib2.x86_64 2.74.7-688.amzn2023.0.1 amazonlinux
glibc.x86_64 2.34-52.amzn2023.0.3 amazonlinux
glibc-common.x86_64 2.34-52.amzn2023.0.3 amazonlinux
glibc-minimal-langpack.x86_64 2.34-52.amzn2023.0.3 amazonlinux
gnupg2-minimal.x86_64 2.3.7-1.amzn2023.0.4 amazonlinux
keyutils-libs.x86_64 1.6.3-1.amzn2023 amazonlinux
libcap.x86_64 2.48-2.amzn2023.0.3 amazonlinux
libcurl-minimal.x86_64 8.0.1-1.amzn2023 amazonlinux
libgcc.x86_64 11.3.1-4.amzn2023.0.3 amazonlinux
libgomp.x86_64 11.3.1-4.amzn2023.0.3 amazonlinux
libstdc++.x86_64 11.3.1-4.amzn2023.0.3 amazonlinux
libxml2.x86_64 2.10.4-1.amzn2023.0.1 amazonlinux
ncurses-base.noarch 6.2-4.20200222.amzn2023.0.4 amazonlinux
ncurses-libs.x86_64 6.2-4.20200222.amzn2023.0.4 amazonlinux
openssl-libs.x86_64 1:3.0.8-1.amzn2023.0.3 amazonlinux
python3-rpm.x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux
rpm.x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux
rpm-build-libs.x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux
rpm-libs.x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux
rpm-sign-libs.x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux
system-release.noarch 2023.1.20230628-0.amzn2023 amazonlinux
tzdata.noarch 2023c-1.amzn2023.0.1 amazonlinux
bash-5.2#
```
The version of the `system-release` package shows the release that a `dnf upgrade` command would update to, which is the [2023.1.20230628](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.1.20230628.html) release that was requested in the `dnf check-update --releasever=2023.1.20230628` command.
------
#### [ Updates in the latest version ]
In this example we are going to look at what updates are available in the `latest` version of AL2023 if we launched a container of the [2023.4.20240319](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240319.html) release. At the time of writing, the `latest` release is [2023.5.20240708](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.5.20240708.html), so the listed updates in this example will be as of that release.
**Note**
This example uses the [2023.4.20240319](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240319.html) and [2023.5.20240708](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.5.20240708.html) releases, the latter being the latest release *at the time of writing*. For more information on the latest releases, see the [AL2023 Release Notes](https://docs.aws.amazon.com/linux/al2023/release-notes/).
In this example we will be starting with a container image for the [2023.4.20240319](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240319.html) release.
First, we fetch this container image from the container registry. The `.1` at the end indicates the version of the image for a particular release. While the image version is typically zero, this example uses a release where the image version is one.
```
$ docker pull public.ecr.aws/amazonlinux/amazonlinux:2023.4.20240319.1
2023.4.20240319.1: Pulling from amazonlinux/amazonlinux
6de065fda9a2: Pull complete
Digest: sha256:b4838c4cc9211d966b6ea158dacc9eda7433a16ba94436508c2d9f01f7658b4e
Status: Downloaded newer image for public.ecr.aws/amazonlinux/amazonlinux:2023.4.20240319.1
public.ecr.aws/amazonlinux/amazonlinux:2023.4.20240319.1
```
We can now spawn a shell inside the container, from which we will check for updates.
```
$ docker run -it public.ecr.aws/amazonlinux/amazonlinux:2023.4.20240319.1
bash-5.2#
```
The `dnf check-update` command is now used to check updates available in the `latest` release, which *at the time of writing* was [2023.5.20240708](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.5.20240708.html).
**Note**
Applying package updates is a privileged operation. Although elevating privileges is typically not required when running in a container, if running in a non-containerized environment such as an Amazon EC2 instance, you can *check* for updates without elevating privileges.
```
$ dnf --releasever=latest check-update
Amazon Linux 2023 repository 78 MB/s | 25 MB 00:00
Last metadata expiration check: 0:00:04 ago on Mon Jul 22 17:39:13 2024.
amazon-linux-repo-cdn.noarch 2023.5.20240708-1.amzn2023 amazonlinux
curl-minimal.x86_64 8.5.0-1.amzn2023.0.4 amazonlinux
dnf.noarch 4.14.0-1.amzn2023.0.5 amazonlinux
dnf-data.noarch 4.14.0-1.amzn2023.0.5 amazonlinux
expat.x86_64 2.5.0-1.amzn2023.0.4 amazonlinux
glibc.x86_64 2.34-52.amzn2023.0.10 amazonlinux
glibc-common.x86_64 2.34-52.amzn2023.0.10 amazonlinux
glibc-minimal-langpack.x86_64 2.34-52.amzn2023.0.10 amazonlinux
krb5-libs.x86_64 1.21-3.amzn2023.0.4 amazonlinux
libblkid.x86_64 2.37.4-1.amzn2023.0.4 amazonlinux
libcurl-minimal.x86_64 8.5.0-1.amzn2023.0.4 amazonlinux
libmount.x86_64 2.37.4-1.amzn2023.0.4 amazonlinux
libnghttp2.x86_64 1.59.0-3.amzn2023.0.1 amazonlinux
libsmartcols.x86_64 2.37.4-1.amzn2023.0.4 amazonlinux
libuuid.x86_64 2.37.4-1.amzn2023.0.4 amazonlinux
openssl-libs.x86_64 1:3.0.8-1.amzn2023.0.12 amazonlinux
python3.x86_64 3.9.16-1.amzn2023.0.8 amazonlinux
python3-dnf.noarch 4.14.0-1.amzn2023.0.5 amazonlinux
python3-libs.x86_64 3.9.16-1.amzn2023.0.8 amazonlinux
system-release.noarch 2023.5.20240708-1.amzn2023 amazonlinux
yum.noarch 4.14.0-1.amzn2023.0.5 amazonlinux
bash-5.2#
```
The version of the `system-release` package shows the release that a `dnf upgrade` command would update to.
------
For this command, if there are newer packages available, the return code is 100. If there aren't any newer packages available, the return code is 0. In addition, the output also lists all the packages to update.
## Applying security updates using DNF and repository versions
New package updates and security updates are made available to new repository versions only. For instances that you launched from earlier AL2023 AMI versions, you must update the repository version before you can install security updates. The `dnf check-release-update` command includes an example update command that updates all the packages that are installed on the system to versions in a newer repository.
**Note**
If you don't specify the release version with the optional flag to the `dnf check-update` command, only the currently configured repository version is checked. This means that any update to installed packages present in any later version of the repository aren't applied.
This section covers the recommended upgrade path of applying all available updates rather than picking and choosing individual updates or only ones marked as security updates. By applying all updates, existing instances are moved to the same package set as launching an updated AMI. This consistency reduces the variation of package versions across a fleet. For more information on applying specific updates, see [Applying security updates in-place](security-inplace-update.md).
------
#### [ Applying updates in a specific version ]
In this example we are going to apply updates available in the [2023.1.20230628](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.1.20230628.html) release if we launched a container of the [2023.0.20230315](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.0.20230315.html) release.
**Note**
This example uses the [2023.0.20230315](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.0.20230315.html) and [2023.1.20230628](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.1.20230628.html) releases, and these *are not* the latest release of AL2023 See the [AL2023 Release Notes](https://docs.aws.amazon.com/linux/al2023/release-notes/) for the latest releases, which contain the latest security updates.
In this example we will be starting with a container image for the [2023.0.20230315](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.0.20230315.html) release.
First, we fetch this container image from the container registry. The `.0` at the end indicates the version of the image for a particular release; this image version is usually zero.
```
$ docker pull public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0
2023.0.20230315.0: Pulling from amazonlinux/amazonlinux
b76f3b09316a: Pull complete
Digest: sha256:94e7183b0739140dbd5b639fb7600f0a2299cec5df8780c26d9cb409da5315a9
Status: Downloaded newer image for public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0
public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0
```
We can now spawn a shell inside the container, from which we will apply updates.
```
$ docker run -it public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0
bash-5.2#
```
The `dnf upgrade` command is now used to apply all of the updates present in the [2023.1.20230628](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.1.20230628.html) release.
**Note**
Applying package updates is a privileged operation. Although elevating privileges is typically not required when running in a container, if running in a non-containerized environment such as an Amazon EC2 instance, you will need to run the `dnf upgrade` command as the `root` user. This can be done using the `sudo` or `su` commands.
```
$ dnf upgrade --releasever=2023.1.20230628
Amazon Linux 2023 repository 38 MB/s | 15 MB 00:00
Last metadata expiration check: 0:00:02 ago on Mon Jul 22 17:49:08 2024.
Dependencies resolved.
=================================================================================
Package Arch Version Repository Size
=================================================================================
Upgrading:
amazon-linux-repo-cdn noarch 2023.1.20230628-0.amzn2023 amazonlinux 18 k
ca-certificates noarch 2023.2.60-1.0.amzn2023.0.2 amazonlinux 829 k
curl-minimal x86_64 8.0.1-1.amzn2023 amazonlinux 150 k
glib2 x86_64 2.74.7-688.amzn2023.0.1 amazonlinux 2.7 M
glibc x86_64 2.34-52.amzn2023.0.3 amazonlinux 1.9 M
glibc-common x86_64 2.34-52.amzn2023.0.3 amazonlinux 307 k
glibc-minimal-langpack x86_64 2.34-52.amzn2023.0.3 amazonlinux 35 k
gnupg2-minimal x86_64 2.3.7-1.amzn2023.0.4 amazonlinux 421 k
keyutils-libs x86_64 1.6.3-1.amzn2023 amazonlinux 33 k
libcap x86_64 2.48-2.amzn2023.0.3 amazonlinux 67 k
libcurl-minimal x86_64 8.0.1-1.amzn2023 amazonlinux 249 k
libgcc x86_64 11.3.1-4.amzn2023.0.3 amazonlinux 105 k
libgomp x86_64 11.3.1-4.amzn2023.0.3 amazonlinux 280 k
libstdc++ x86_64 11.3.1-4.amzn2023.0.3 amazonlinux 744 k
libxml2 x86_64 2.10.4-1.amzn2023.0.1 amazonlinux 706 k
ncurses-base noarch 6.2-4.20200222.amzn2023.0.4 amazonlinux 60 k
ncurses-libs x86_64 6.2-4.20200222.amzn2023.0.4 amazonlinux 328 k
openssl-libs x86_64 1:3.0.8-1.amzn2023.0.3 amazonlinux 2.2 M
python3-rpm x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux 88 k
rpm x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux 486 k
rpm-build-libs x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux 90 k
rpm-libs x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux 309 k
rpm-sign-libs x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux 21 k
system-release noarch 2023.1.20230628-0.amzn2023 amazonlinux 29 k
tzdata noarch 2023c-1.amzn2023.0.1 amazonlinux 433 k
Transaction Summary
=================================================================================
Upgrade 25 Packages
Total download size: 12 M
Is this ok [y/N]:
```
The version of the `system-release` package shows the release that a `dnf upgrade` command would update to, which is the [2023.1.20230628](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.1.20230628.html) release that was requested in the `dnf upgrade --releasever=2023.1.20230628` command.
By default, `dnf` will ask you to confirm you wish to apply the updates. You can bypass this prompt by using the `-y` flag to `dnf`. for this example, the `dnf upgrade -y --releasever=2023.1.20230628` command would not ask for confirmation before applying the updates. This is useful in scripts or other automation environments.
Once confirming you want to apply the updates, `dnf` applies them.
```
Is this ok [y/N]:y
Downloading Packages:
(1/25): libcap-2.48-2.amzn2023.0.3.x86_64.rpm 1.5 MB/s | 67 kB 00:00
(2/25): python3-rpm-4.16.1.3-12.amzn2023.0.6.x86 2.1 MB/s | 88 kB 00:00
(3/25): libcurl-minimal-8.0.1-1.amzn2023.x86_64. 2.6 MB/s | 249 kB 00:00
(4/25): glib2-2.74.7-688.amzn2023.0.1.x86_64.rpm 26 MB/s | 2.7 MB 00:00
(5/25): glibc-minimal-langpack-2.34-52.amzn2023. 1.3 MB/s | 35 kB 00:00
(6/25): rpm-build-libs-4.16.1.3-12.amzn2023.0.6. 2.8 MB/s | 90 kB 00:00
(7/25): rpm-libs-4.16.1.3-12.amzn2023.0.6.x86_64 6.6 MB/s | 309 kB 00:00
(8/25): libgcc-11.3.1-4.amzn2023.0.3.x86_64.rpm 3.9 MB/s | 105 kB 00:00
(9/25): glibc-common-2.34-52.amzn2023.0.3.x86_64 11 MB/s | 307 kB 00:00
(10/25): glibc-2.34-52.amzn2023.0.3.x86_64.rpm 31 MB/s | 1.9 MB 00:00
(11/25): rpm-sign-libs-4.16.1.3-12.amzn2023.0.6. 877 kB/s | 21 kB 00:00
(12/25): gnupg2-minimal-2.3.7-1.amzn2023.0.4.x86 15 MB/s | 421 kB 00:00
(13/25): openssl-libs-3.0.8-1.amzn2023.0.3.x86_6 35 MB/s | 2.2 MB 00:00
(14/25): libxml2-2.10.4-1.amzn2023.0.1.x86_64.rp 14 MB/s | 706 kB 00:00
(15/25): curl-minimal-8.0.1-1.amzn2023.x86_64.rp 4.2 MB/s | 150 kB 00:00
(16/25): rpm-4.16.1.3-12.amzn2023.0.6.x86_64.rpm 11 MB/s | 486 kB 00:00
(17/25): libgomp-11.3.1-4.amzn2023.0.3.x86_64.rp 7.0 MB/s | 280 kB 00:00
(18/25): libstdc++-11.3.1-4.amzn2023.0.3.x86_64. 14 MB/s | 744 kB 00:00
(19/25): keyutils-libs-1.6.3-1.amzn2023.x86_64.r 1.6 MB/s | 33 kB 00:00
(20/25): ncurses-libs-6.2-4.20200222.amzn2023.0. 10 MB/s | 328 kB 00:00
(21/25): tzdata-2023c-1.amzn2023.0.1.noarch.rpm 11 MB/s | 433 kB 00:00
(22/25): amazon-linux-repo-cdn-2023.1.20230628-0 781 kB/s | 18 kB 00:00
(23/25): ca-certificates-2023.2.60-1.0.amzn2023. 16 MB/s | 829 kB 00:00
(24/25): system-release-2023.1.20230628-0.amzn20 1.5 MB/s | 29 kB 00:00
(25/25): ncurses-base-6.2-4.20200222.amzn2023.0. 3.1 MB/s | 60 kB 00:00
---------------------------------------------------------------------------------
Total 28 MB/s | 12 MB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : libgcc-11.3.1-4.amzn2023.0.3.x86_64 1/50
Running scriptlet: libgcc-11.3.1-4.amzn2023.0.3.x86_64 1/50
Upgrading : system-release-2023.1.20230628-0.amzn2023.noarch 2/50
Upgrading : amazon-linux-repo-cdn-2023.1.20230628-0.amzn2023.no 3/50
Upgrading : ncurses-base-6.2-4.20200222.amzn2023.0.4.noarch 4/50
Upgrading : tzdata-2023c-1.amzn2023.0.1.noarch 5/50
Upgrading : glibc-common-2.34-52.amzn2023.0.3.x86_64 6/50
Running scriptlet: glibc-2.34-52.amzn2023.0.3.x86_64 7/50
Upgrading : glibc-2.34-52.amzn2023.0.3.x86_64 7/50
Running scriptlet: glibc-2.34-52.amzn2023.0.3.x86_64 7/50
Upgrading : glibc-minimal-langpack-2.34-52.amzn2023.0.3.x86_64 8/50
Upgrading : libcap-2.48-2.amzn2023.0.3.x86_64 9/50
Upgrading : gnupg2-minimal-2.3.7-1.amzn2023.0.4.x86_64 10/50
Upgrading : libgomp-11.3.1-4.amzn2023.0.3.x86_64 11/50
Running scriptlet: ca-certificates-2023.2.60-1.0.amzn2023.0.2.noarch 12/50
Upgrading : ca-certificates-2023.2.60-1.0.amzn2023.0.2.noarch 12/50
Running scriptlet: ca-certificates-2023.2.60-1.0.amzn2023.0.2.noarch 12/50
Upgrading : openssl-libs-1:3.0.8-1.amzn2023.0.3.x86_64 13/50
Upgrading : libcurl-minimal-8.0.1-1.amzn2023.x86_64 14/50
Upgrading : curl-minimal-8.0.1-1.amzn2023.x86_64 15/50
Upgrading : rpm-libs-4.16.1.3-12.amzn2023.0.6.x86_64 16/50
Upgrading : rpm-4.16.1.3-12.amzn2023.0.6.x86_64 17/50
Upgrading : rpm-build-libs-4.16.1.3-12.amzn2023.0.6.x86_64 18/50
Upgrading : rpm-sign-libs-4.16.1.3-12.amzn2023.0.6.x86_64 19/50
Upgrading : python3-rpm-4.16.1.3-12.amzn2023.0.6.x86_64 20/50
Upgrading : glib2-2.74.7-688.amzn2023.0.1.x86_64 21/50
Upgrading : libxml2-2.10.4-1.amzn2023.0.1.x86_64 22/50
Upgrading : libstdc++-11.3.1-4.amzn2023.0.3.x86_64 23/50
Upgrading : keyutils-libs-1.6.3-1.amzn2023.x86_64 24/50
Upgrading : ncurses-libs-6.2-4.20200222.amzn2023.0.4.x86_64 25/50
Cleanup : glib2-2.73.2-680.amzn2023.0.3.x86_64 26/50
Cleanup : libstdc++-11.3.1-4.amzn2023.0.2.x86_64 27/50
Cleanup : libxml2-2.10.3-2.amzn2023.0.1.x86_64 28/50
Cleanup : python3-rpm-4.16.1.3-12.amzn2023.0.5.x86_64 29/50
Cleanup : rpm-build-libs-4.16.1.3-12.amzn2023.0.5.x86_64 30/50
Cleanup : rpm-sign-libs-4.16.1.3-12.amzn2023.0.5.x86_64 31/50
Cleanup : rpm-libs-4.16.1.3-12.amzn2023.0.5.x86_64 32/50
Cleanup : libcap-2.48-2.amzn2023.0.2.x86_64 33/50
Cleanup : gnupg2-minimal-2.3.7-1.amzn2023.0.3.x86_64 34/50
Cleanup : ncurses-libs-6.2-4.20200222.amzn2023.0.3.x86_64 35/50
Cleanup : libgomp-11.3.1-4.amzn2023.0.2.x86_64 36/50
Cleanup : rpm-4.16.1.3-12.amzn2023.0.5.x86_64 37/50
Cleanup : curl-minimal-7.88.1-1.amzn2023.0.1.x86_64 38/50
Cleanup : libcurl-minimal-7.88.1-1.amzn2023.0.1.x86_64 39/50
Cleanup : openssl-libs-1:3.0.8-1.amzn2023.0.1.x86_64 40/50
Cleanup : keyutils-libs-1.6.1-2.amzn2023.0.2.x86_64 41/50
Cleanup : amazon-linux-repo-cdn-2023.0.20230315-1.amzn2023.no 42/50
Cleanup : system-release-2023.0.20230315-1.amzn2023.noarch 43/50
Cleanup : ca-certificates-2023.2.60-1.0.amzn2023.0.1.noarch 44/50
Cleanup : ncurses-base-6.2-4.20200222.amzn2023.0.3.noarch 45/50
Cleanup : glibc-minimal-langpack-2.34-52.amzn2023.0.2.x86_64 46/50
Cleanup : glibc-2.34-52.amzn2023.0.2.x86_64 47/50
Cleanup : glibc-common-2.34-52.amzn2023.0.2.x86_64 48/50
Cleanup : tzdata-2022g-1.amzn2023.0.1.noarch 49/50
Cleanup : libgcc-11.3.1-4.amzn2023.0.2.x86_64 50/50
Running scriptlet: libgcc-11.3.1-4.amzn2023.0.2.x86_64 50/50
Running scriptlet: ca-certificates-2023.2.60-1.0.amzn2023.0.2.noarch 50/50
Running scriptlet: rpm-4.16.1.3-12.amzn2023.0.6.x86_64 50/50
Running scriptlet: libgcc-11.3.1-4.amzn2023.0.2.x86_64 50/50
Verifying : libcurl-minimal-8.0.1-1.amzn2023.x86_64 1/50
Verifying : libcurl-minimal-7.88.1-1.amzn2023.0.1.x86_64 2/50
Verifying : libcap-2.48-2.amzn2023.0.3.x86_64 3/50
Verifying : libcap-2.48-2.amzn2023.0.2.x86_64 4/50
Verifying : glib2-2.74.7-688.amzn2023.0.1.x86_64 5/50
Verifying : glib2-2.73.2-680.amzn2023.0.3.x86_64 6/50
Verifying : python3-rpm-4.16.1.3-12.amzn2023.0.6.x86_64 7/50
Verifying : python3-rpm-4.16.1.3-12.amzn2023.0.5.x86_64 8/50
Verifying : glibc-minimal-langpack-2.34-52.amzn2023.0.3.x86_64 9/50
Verifying : glibc-minimal-langpack-2.34-52.amzn2023.0.2.x86_64 10/50
Verifying : rpm-libs-4.16.1.3-12.amzn2023.0.6.x86_64 11/50
Verifying : rpm-libs-4.16.1.3-12.amzn2023.0.5.x86_64 12/50
Verifying : rpm-build-libs-4.16.1.3-12.amzn2023.0.6.x86_64 13/50
Verifying : rpm-build-libs-4.16.1.3-12.amzn2023.0.5.x86_64 14/50
Verifying : glibc-2.34-52.amzn2023.0.3.x86_64 15/50
Verifying : glibc-2.34-52.amzn2023.0.2.x86_64 16/50
Verifying : libgcc-11.3.1-4.amzn2023.0.3.x86_64 17/50
Verifying : libgcc-11.3.1-4.amzn2023.0.2.x86_64 18/50
Verifying : glibc-common-2.34-52.amzn2023.0.3.x86_64 19/50
Verifying : glibc-common-2.34-52.amzn2023.0.2.x86_64 20/50
Verifying : rpm-sign-libs-4.16.1.3-12.amzn2023.0.6.x86_64 21/50
Verifying : rpm-sign-libs-4.16.1.3-12.amzn2023.0.5.x86_64 22/50
Verifying : openssl-libs-1:3.0.8-1.amzn2023.0.3.x86_64 23/50
Verifying : openssl-libs-1:3.0.8-1.amzn2023.0.1.x86_64 24/50
Verifying : gnupg2-minimal-2.3.7-1.amzn2023.0.4.x86_64 25/50
Verifying : gnupg2-minimal-2.3.7-1.amzn2023.0.3.x86_64 26/50
Verifying : libxml2-2.10.4-1.amzn2023.0.1.x86_64 27/50
Verifying : libxml2-2.10.3-2.amzn2023.0.1.x86_64 28/50
Verifying : curl-minimal-8.0.1-1.amzn2023.x86_64 29/50
Verifying : curl-minimal-7.88.1-1.amzn2023.0.1.x86_64 30/50
Verifying : rpm-4.16.1.3-12.amzn2023.0.6.x86_64 31/50
Verifying : rpm-4.16.1.3-12.amzn2023.0.5.x86_64 32/50
Verifying : libstdc++-11.3.1-4.amzn2023.0.3.x86_64 33/50
Verifying : libstdc++-11.3.1-4.amzn2023.0.2.x86_64 34/50
Verifying : libgomp-11.3.1-4.amzn2023.0.3.x86_64 35/50
Verifying : libgomp-11.3.1-4.amzn2023.0.2.x86_64 36/50
Verifying : keyutils-libs-1.6.3-1.amzn2023.x86_64 37/50
Verifying : keyutils-libs-1.6.1-2.amzn2023.0.2.x86_64 38/50
Verifying : ncurses-libs-6.2-4.20200222.amzn2023.0.4.x86_64 39/50
Verifying : ncurses-libs-6.2-4.20200222.amzn2023.0.3.x86_64 40/50
Verifying : ca-certificates-2023.2.60-1.0.amzn2023.0.2.noarch 41/50
Verifying : ca-certificates-2023.2.60-1.0.amzn2023.0.1.noarch 42/50
Verifying : tzdata-2023c-1.amzn2023.0.1.noarch 43/50
Verifying : tzdata-2022g-1.amzn2023.0.1.noarch 44/50
Verifying : amazon-linux-repo-cdn-2023.1.20230628-0.amzn2023.no 45/50
Verifying : amazon-linux-repo-cdn-2023.0.20230315-1.amzn2023.no 46/50
Verifying : system-release-2023.1.20230628-0.amzn2023.noarch 47/50
Verifying : system-release-2023.0.20230315-1.amzn2023.noarch 48/50
Verifying : ncurses-base-6.2-4.20200222.amzn2023.0.4.noarch 49/50
Verifying : ncurses-base-6.2-4.20200222.amzn2023.0.3.noarch 50/50
Upgraded:
amazon-linux-repo-cdn-2023.1.20230628-0.amzn2023.noarch
ca-certificates-2023.2.60-1.0.amzn2023.0.2.noarch
curl-minimal-8.0.1-1.amzn2023.x86_64
glib2-2.74.7-688.amzn2023.0.1.x86_64
glibc-2.34-52.amzn2023.0.3.x86_64
glibc-common-2.34-52.amzn2023.0.3.x86_64
glibc-minimal-langpack-2.34-52.amzn2023.0.3.x86_64
gnupg2-minimal-2.3.7-1.amzn2023.0.4.x86_64
keyutils-libs-1.6.3-1.amzn2023.x86_64
libcap-2.48-2.amzn2023.0.3.x86_64
libcurl-minimal-8.0.1-1.amzn2023.x86_64
libgcc-11.3.1-4.amzn2023.0.3.x86_64
libgomp-11.3.1-4.amzn2023.0.3.x86_64
libstdc++-11.3.1-4.amzn2023.0.3.x86_64
libxml2-2.10.4-1.amzn2023.0.1.x86_64
ncurses-base-6.2-4.20200222.amzn2023.0.4.noarch
ncurses-libs-6.2-4.20200222.amzn2023.0.4.x86_64
openssl-libs-1:3.0.8-1.amzn2023.0.3.x86_64
python3-rpm-4.16.1.3-12.amzn2023.0.6.x86_64
rpm-4.16.1.3-12.amzn2023.0.6.x86_64
rpm-build-libs-4.16.1.3-12.amzn2023.0.6.x86_64
rpm-libs-4.16.1.3-12.amzn2023.0.6.x86_64
rpm-sign-libs-4.16.1.3-12.amzn2023.0.6.x86_64
system-release-2023.1.20230628-0.amzn2023.noarch
tzdata-2023c-1.amzn2023.0.1.noarch
Complete!
bash-5.2#
```
------
#### [ Updates in the latest version ]
In this example we are going to apply updates available in the `latest` version of AL2023 if we launched a container of the [2023.4.20240319](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240319.html) release. At the time of writing, the `latest` release is [2023.5.20240708](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.5.20240708.html), so the listed updates in this example will be as of that release.
**Note**
This example uses the [2023.4.20240319](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240319.html) and [2023.5.20240708](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.5.20240708.html) releases, the latter being the latest release *at the time of writing*. For more information on the latest releases, see the [AL2023 Release Notes](https://docs.aws.amazon.com/linux/al2023/release-notes/).
In this example we will be starting with a container image for the [2023.4.20240319](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240319.html) release.
First, we fetch this container image from the container registry. The `.1` at the end indicates the version of the image for a particular release. While the image version is typically zero, this example uses a release where the image version is one.
```
$ docker pull public.ecr.aws/amazonlinux/amazonlinux:2023.4.20240319.1
2023.4.20240319.1: Pulling from amazonlinux/amazonlinux
6de065fda9a2: Pull complete
Digest: sha256:b4838c4cc9211d966b6ea158dacc9eda7433a16ba94436508c2d9f01f7658b4e
Status: Downloaded newer image for public.ecr.aws/amazonlinux/amazonlinux:2023.4.20240319.1
public.ecr.aws/amazonlinux/amazonlinux:2023.4.20240319.1
```
We can now spawn a shell inside the container, from which we will apply updates.
```
$ docker run -it public.ecr.aws/amazonlinux/amazonlinux:2023.4.20240319.1
bash-5.2#
```
The `dnf upgrade` command is now used to apply updates available in the `latest` release, which *at the time of writing* was [2023.5.20240708](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.5.20240708.html).
**Note**
Applying package updates is a privileged operation. Although elevating privileges is typically not required when running in a container, if running in a non-containerized environment such as an Amazon EC2 instance, you will need to run the `dnf upgrade` command as the `root` user. This can be done using the `sudo` or `su` commands.
By default, `dnf` will ask you to confirm you wish to apply the updates. In this example, we are bypassing this prompt by using the `-y` flag to `dnf`.
```
$ dnf -y --releasever=latest update
Amazon Linux 2023 repository 75 MB/s | 25 MB 00:00
Last metadata expiration check: 0:00:04 ago on Mon Jul 22 18:00:10 2024.
Dependencies resolved.
=================================================================================
Package Arch Version Repository Size
=================================================================================
Upgrading:
amazon-linux-repo-cdn noarch 2023.5.20240708-1.amzn2023 amazonlinux 17 k
curl-minimal x86_64 8.5.0-1.amzn2023.0.4 amazonlinux 160 k
dnf noarch 4.14.0-1.amzn2023.0.5 amazonlinux 460 k
dnf-data noarch 4.14.0-1.amzn2023.0.5 amazonlinux 34 k
expat x86_64 2.5.0-1.amzn2023.0.4 amazonlinux 117 k
glibc x86_64 2.34-52.amzn2023.0.10 amazonlinux 1.9 M
glibc-common x86_64 2.34-52.amzn2023.0.10 amazonlinux 295 k
glibc-minimal-langpack x86_64 2.34-52.amzn2023.0.10 amazonlinux 23 k
krb5-libs x86_64 1.21-3.amzn2023.0.4 amazonlinux 758 k
libblkid x86_64 2.37.4-1.amzn2023.0.4 amazonlinux 105 k
libcurl-minimal x86_64 8.5.0-1.amzn2023.0.4 amazonlinux 275 k
libmount x86_64 2.37.4-1.amzn2023.0.4 amazonlinux 132 k
libnghttp2 x86_64 1.59.0-3.amzn2023.0.1 amazonlinux 79 k
libsmartcols x86_64 2.37.4-1.amzn2023.0.4 amazonlinux 62 k
libuuid x86_64 2.37.4-1.amzn2023.0.4 amazonlinux 26 k
openssl-libs x86_64 1:3.0.8-1.amzn2023.0.12 amazonlinux 2.2 M
python3 x86_64 3.9.16-1.amzn2023.0.8 amazonlinux 27 k
python3-dnf noarch 4.14.0-1.amzn2023.0.5 amazonlinux 409 k
python3-libs x86_64 3.9.16-1.amzn2023.0.8 amazonlinux 7.3 M
system-release noarch 2023.5.20240708-1.amzn2023 amazonlinux 28 k
yum noarch 4.14.0-1.amzn2023.0.5 amazonlinux 32 k
Transaction Summary
=================================================================================
Upgrade 21 Packages
Total download size: 14 M
Downloading Packages:
(1/21): amazon-linux-repo-cdn-2023.5.20240708-1. 345 kB/s | 17 kB 00:00
(2/21): dnf-4.14.0-1.amzn2023.0.5.noarch.rpm 6.8 MB/s | 460 kB 00:00
(3/21): dnf-data-4.14.0-1.amzn2023.0.5.noarch.rp 1.6 MB/s | 34 kB 00:00
(4/21): expat-2.5.0-1.amzn2023.0.4.x86_64.rpm 4.6 MB/s | 117 kB 00:00
(5/21): glibc-2.34-52.amzn2023.0.10.x86_64.rpm 38 MB/s | 1.9 MB 00:00
(6/21): glibc-common-2.34-52.amzn2023.0.10.x86_6 8.8 MB/s | 295 kB 00:00
(7/21): glibc-minimal-langpack-2.34-52.amzn2023. 1.7 MB/s | 23 kB 00:00
(8/21): curl-minimal-8.5.0-1.amzn2023.0.4.x86_64 998 kB/s | 160 kB 00:00
(9/21): libblkid-2.37.4-1.amzn2023.0.4.x86_64.rp 4.1 MB/s | 105 kB 00:00
(10/21): krb5-libs-1.21-3.amzn2023.0.4.x86_64.rp 16 MB/s | 758 kB 00:00
(11/21): libmount-2.37.4-1.amzn2023.0.4.x86_64.r 7.9 MB/s | 132 kB 00:00
(12/21): libnghttp2-1.59.0-3.amzn2023.0.1.x86_64 5.6 MB/s | 79 kB 00:00
(13/21): libsmartcols-2.37.4-1.amzn2023.0.4.x86_ 4.4 MB/s | 62 kB 00:00
(14/21): libcurl-minimal-8.5.0-1.amzn2023.0.4.x8 7.1 MB/s | 275 kB 00:00
(15/21): libuuid-2.37.4-1.amzn2023.0.4.x86_64.rp 1.1 MB/s | 26 kB 00:00
(16/21): python3-3.9.16-1.amzn2023.0.8.x86_64.rp 1.5 MB/s | 27 kB 00:00
(17/21): python3-dnf-4.14.0-1.amzn2023.0.5.noarc 19 MB/s | 409 kB 00:00
(18/21): system-release-2023.5.20240708-1.amzn20 1.9 MB/s | 28 kB 00:00
(19/21): yum-4.14.0-1.amzn2023.0.5.noarch.rpm 1.6 MB/s | 32 kB 00:00
(20/21): openssl-libs-3.0.8-1.amzn2023.0.12.x86_ 26 MB/s | 2.2 MB 00:00
(21/21): python3-libs-3.9.16-1.amzn2023.0.8.x86_ 59 MB/s | 7.3 MB 00:00
---------------------------------------------------------------------------------
Total 34 MB/s | 14 MB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : glibc-common-2.34-52.amzn2023.0.10.x86_64 1/42
Upgrading : glibc-minimal-langpack-2.34-52.amzn2023.0.10.x86_64 2/42
Running scriptlet: glibc-2.34-52.amzn2023.0.10.x86_64 3/42
Upgrading : glibc-2.34-52.amzn2023.0.10.x86_64 3/42
Running scriptlet: glibc-2.34-52.amzn2023.0.10.x86_64 3/42
Upgrading : libuuid-2.37.4-1.amzn2023.0.4.x86_64 4/42
Upgrading : openssl-libs-1:3.0.8-1.amzn2023.0.12.x86_64 5/42
Upgrading : krb5-libs-1.21-3.amzn2023.0.4.x86_64 6/42
Upgrading : libblkid-2.37.4-1.amzn2023.0.4.x86_64 7/42
Running scriptlet: libblkid-2.37.4-1.amzn2023.0.4.x86_64 7/42
Upgrading : expat-2.5.0-1.amzn2023.0.4.x86_64 8/42
Upgrading : python3-3.9.16-1.amzn2023.0.8.x86_64 9/42
Upgrading : python3-libs-3.9.16-1.amzn2023.0.8.x86_64 10/42
Upgrading : libnghttp2-1.59.0-3.amzn2023.0.1.x86_64 11/42
Upgrading : libcurl-minimal-8.5.0-1.amzn2023.0.4.x86_64 12/42
Upgrading : system-release-2023.5.20240708-1.amzn2023.noarch 13/42
Upgrading : amazon-linux-repo-cdn-2023.5.20240708-1.amzn2023.no 14/42
Upgrading : dnf-data-4.14.0-1.amzn2023.0.5.noarch 15/42
Upgrading : python3-dnf-4.14.0-1.amzn2023.0.5.noarch 16/42
Upgrading : dnf-4.14.0-1.amzn2023.0.5.noarch 17/42
Running scriptlet: dnf-4.14.0-1.amzn2023.0.5.noarch 17/42
Upgrading : yum-4.14.0-1.amzn2023.0.5.noarch 18/42
Upgrading : curl-minimal-8.5.0-1.amzn2023.0.4.x86_64 19/42
Upgrading : libmount-2.37.4-1.amzn2023.0.4.x86_64 20/42
Upgrading : libsmartcols-2.37.4-1.amzn2023.0.4.x86_64 21/42
Cleanup : yum-4.14.0-1.amzn2023.0.4.noarch 22/42
Running scriptlet: dnf-4.14.0-1.amzn2023.0.4.noarch 23/42
Cleanup : dnf-4.14.0-1.amzn2023.0.4.noarch 23/42
Running scriptlet: dnf-4.14.0-1.amzn2023.0.4.noarch 23/42
Cleanup : python3-dnf-4.14.0-1.amzn2023.0.4.noarch 24/42
Cleanup : amazon-linux-repo-cdn-2023.4.20240319-1.amzn2023.no 25/42
Cleanup : libmount-2.37.4-1.amzn2023.0.3.x86_64 26/42
Cleanup : curl-minimal-8.5.0-1.amzn2023.0.2.x86_64 27/42
Cleanup : libcurl-minimal-8.5.0-1.amzn2023.0.2.x86_64 28/42
Cleanup : krb5-libs-1.21-3.amzn2023.0.3.x86_64 29/42
Cleanup : libblkid-2.37.4-1.amzn2023.0.3.x86_64 30/42
Cleanup : libnghttp2-1.57.0-1.amzn2023.0.1.x86_64 31/42
Cleanup : libsmartcols-2.37.4-1.amzn2023.0.3.x86_64 32/42
Cleanup : system-release-2023.4.20240319-1.amzn2023.noarch 33/42
Cleanup : dnf-data-4.14.0-1.amzn2023.0.4.noarch 34/42
Cleanup : python3-3.9.16-1.amzn2023.0.6.x86_64 35/42
Cleanup : python3-libs-3.9.16-1.amzn2023.0.6.x86_64 36/42
Cleanup : openssl-libs-1:3.0.8-1.amzn2023.0.11.x86_64 37/42
Cleanup : libuuid-2.37.4-1.amzn2023.0.3.x86_64 38/42
Cleanup : expat-2.5.0-1.amzn2023.0.3.x86_64 39/42
Cleanup : glibc-2.34-52.amzn2023.0.8.x86_64 40/42
Cleanup : glibc-minimal-langpack-2.34-52.amzn2023.0.8.x86_64 41/42
Cleanup : glibc-common-2.34-52.amzn2023.0.8.x86_64 42/42
Running scriptlet: glibc-common-2.34-52.amzn2023.0.8.x86_64 42/42
Verifying : amazon-linux-repo-cdn-2023.5.20240708-1.amzn2023.no 1/42
Verifying : amazon-linux-repo-cdn-2023.4.20240319-1.amzn2023.no 2/42
Verifying : curl-minimal-8.5.0-1.amzn2023.0.4.x86_64 3/42
Verifying : curl-minimal-8.5.0-1.amzn2023.0.2.x86_64 4/42
Verifying : dnf-4.14.0-1.amzn2023.0.5.noarch 5/42
Verifying : dnf-4.14.0-1.amzn2023.0.4.noarch 6/42
Verifying : dnf-data-4.14.0-1.amzn2023.0.5.noarch 7/42
Verifying : dnf-data-4.14.0-1.amzn2023.0.4.noarch 8/42
Verifying : expat-2.5.0-1.amzn2023.0.4.x86_64 9/42
Verifying : expat-2.5.0-1.amzn2023.0.3.x86_64 10/42
Verifying : glibc-2.34-52.amzn2023.0.10.x86_64 11/42
Verifying : glibc-2.34-52.amzn2023.0.8.x86_64 12/42
Verifying : glibc-common-2.34-52.amzn2023.0.10.x86_64 13/42
Verifying : glibc-common-2.34-52.amzn2023.0.8.x86_64 14/42
Verifying : glibc-minimal-langpack-2.34-52.amzn2023.0.10.x86_64 15/42
Verifying : glibc-minimal-langpack-2.34-52.amzn2023.0.8.x86_64 16/42
Verifying : krb5-libs-1.21-3.amzn2023.0.4.x86_64 17/42
Verifying : krb5-libs-1.21-3.amzn2023.0.3.x86_64 18/42
Verifying : libblkid-2.37.4-1.amzn2023.0.4.x86_64 19/42
Verifying : libblkid-2.37.4-1.amzn2023.0.3.x86_64 20/42
Verifying : libcurl-minimal-8.5.0-1.amzn2023.0.4.x86_64 21/42
Verifying : libcurl-minimal-8.5.0-1.amzn2023.0.2.x86_64 22/42
Verifying : libmount-2.37.4-1.amzn2023.0.4.x86_64 23/42
Verifying : libmount-2.37.4-1.amzn2023.0.3.x86_64 24/42
Verifying : libnghttp2-1.59.0-3.amzn2023.0.1.x86_64 25/42
Verifying : libnghttp2-1.57.0-1.amzn2023.0.1.x86_64 26/42
Verifying : libsmartcols-2.37.4-1.amzn2023.0.4.x86_64 27/42
Verifying : libsmartcols-2.37.4-1.amzn2023.0.3.x86_64 28/42
Verifying : libuuid-2.37.4-1.amzn2023.0.4.x86_64 29/42
Verifying : libuuid-2.37.4-1.amzn2023.0.3.x86_64 30/42
Verifying : openssl-libs-1:3.0.8-1.amzn2023.0.12.x86_64 31/42
Verifying : openssl-libs-1:3.0.8-1.amzn2023.0.11.x86_64 32/42
Verifying : python3-3.9.16-1.amzn2023.0.8.x86_64 33/42
Verifying : python3-3.9.16-1.amzn2023.0.6.x86_64 34/42
Verifying : python3-dnf-4.14.0-1.amzn2023.0.5.noarch 35/42
Verifying : python3-dnf-4.14.0-1.amzn2023.0.4.noarch 36/42
Verifying : python3-libs-3.9.16-1.amzn2023.0.8.x86_64 37/42
Verifying : python3-libs-3.9.16-1.amzn2023.0.6.x86_64 38/42
Verifying : system-release-2023.5.20240708-1.amzn2023.noarch 39/42
Verifying : system-release-2023.4.20240319-1.amzn2023.noarch 40/42
Verifying : yum-4.14.0-1.amzn2023.0.5.noarch 41/42
Verifying : yum-4.14.0-1.amzn2023.0.4.noarch 42/42
Upgraded:
amazon-linux-repo-cdn-2023.5.20240708-1.amzn2023.noarch
curl-minimal-8.5.0-1.amzn2023.0.4.x86_64
dnf-4.14.0-1.amzn2023.0.5.noarch
dnf-data-4.14.0-1.amzn2023.0.5.noarch
expat-2.5.0-1.amzn2023.0.4.x86_64
glibc-2.34-52.amzn2023.0.10.x86_64
glibc-common-2.34-52.amzn2023.0.10.x86_64
glibc-minimal-langpack-2.34-52.amzn2023.0.10.x86_64
krb5-libs-1.21-3.amzn2023.0.4.x86_64
libblkid-2.37.4-1.amzn2023.0.4.x86_64
libcurl-minimal-8.5.0-1.amzn2023.0.4.x86_64
libmount-2.37.4-1.amzn2023.0.4.x86_64
libnghttp2-1.59.0-3.amzn2023.0.1.x86_64
libsmartcols-2.37.4-1.amzn2023.0.4.x86_64
libuuid-2.37.4-1.amzn2023.0.4.x86_64
openssl-libs-1:3.0.8-1.amzn2023.0.12.x86_64
python3-3.9.16-1.amzn2023.0.8.x86_64
python3-dnf-4.14.0-1.amzn2023.0.5.noarch
python3-libs-3.9.16-1.amzn2023.0.8.x86_64
system-release-2023.5.20240708-1.amzn2023.noarch
yum-4.14.0-1.amzn2023.0.5.noarch
Complete!
bash-5.2#
```
------
To discover AL2023 updates, do one or more of the following:
+ Run the `dnf check-update` command. This checks for any unapplied updates in the version of Amazon Linux which you are locked to. This may show updates if you updated only the `system-release` package, moving what version of the repositories the instance is locked to but not applying any of the updates available in it.
+ Subscribe to the Amazon Linux repository update SNS topic (`arn:aws:sns:us-east-1:137112412989:amazon-linux-2023-ami-updates`). For more information, see [Subscribing to an Amazon SNS topic](https://docs.aws.amazon.com/sns/latest/dg/sns-create-subscribe-endpoint-to-topic.html) in the *Amazon Simple Notification Service Developer Guide*.
+ Regularly refer to the [AL2023 release notes](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes.html).
+ Discover new versions by [Checking for newer repository versions with `dnf check-release-update`](#dnf-repository-updates).
**Important**
New versions of AL2023 containing security updates are released frequently. Be sure to keep up to date with relevant security patches.
## Automatic service restart after (security) updates
Amazon Linux now ships with the [smart-restart](https://github.com/amazonlinux/smart-restart) package. `Smart-restart` restarts systemd services on system updates whenever a package is installed or deleted using the systems package manager. This occurs whenever `dnf (update|upgrade|downgrade)` is executed.
`Smart-restart` uses the `needs-restarting` package from `dnf-utils` and a custom denylisting mechanism to determine which services need to be restarted and whether a system reboot is advised. If a system reboot is advised, a reboot hint marker file is generated (`/run/smart-restart/reboot-hint-marker`).
**To install `smart-restart`**
Run the following DNF command (as you would with any other package).
```
$ sudo dnf install smart-restart
```
After the installation, the subsequent transactions will trigger the `smart-restart` logic.
**Denylist**
`Smart-restart` can be instructed to block certain services from being restarted. The blocked services won't contribute to the decision of whether a reboot is required. To block additional services, add a file with the suffix `-denylist` in `/etc/smart-restart-conf.d/` as shown in the following example.
```
$ cat /etc/smart-restart-conf.d/custom-denylist
# Some comments
myservice.service
```
**Note**
All `*-denylist` files are read and evaluated when making the decision of whether a reboot is required.
**Custom hooks**
In addition to denylisting, `smart-restart` provides a mechanism to run custom scripts before and after the attempts to restart the service. The custom scripts can be used to manually perform preparation steps or to inform other components of a remaining or completed restart.
All scripts in `/etc/smart-restart-conf.d/` with the suffix `-pre-restart` or `-post-restart`are executed. If the order is important, prefix all of the scripts with a number to ensure the execution order as shown in the following example.
```
$ ls /etc/smart-restart-conf.d/*-pre-restart
001-my-script-pre-restart
002-some-other-script-pre-restart
```
## When is a reboot required to apply security updates?
In some situations, Amazon Linux requires a reboot to apply updates:
+ Updates to the Linux kernel package require a reboot to activate the new kernel with latest security updates. Kernel livepatching may allow you to postpone security updates for a limited period of time. For details, consult [Kernel Live Patching on AL2023](live-patching.md).
+ On EC2 Metal instances, Amazon Linux provides microcode updates (through the `microcode_ctl` package for Intel CPUs and the `amd-ucode-firmware` package for AMD CPUs.) These microcode updates will only be activated on subsequent instance reboots. For virtualized EC2 instances, the underlying [AWS Nitro system](https://docs.aws.amazon.com/whitepapers/latest/security-design-of-aws-nitro-system/security-design-of-aws-nitro-system.html) handles microcode updates for you.
+ Some running systemd services will only function correctly after a full system restart. The `smart-restart` mechanism will inform you about such situations by leaving reboot hints. See [Automatic service restart after (security) updates](#automatic-restart-services).
## Launching an instance with the latest repository version enabled
You can add DNF commands to a user-data script to control what RPM packages are installed on an Amazon Linux AMI when it's launched. In the following example, a user-data script is used to make sure that any instance launched with the user-data script has the same package updates installed.
```
#!/bin/bash
dnf upgrade --releasever=2023.0.20230210
# Additional setup and install commands below
dnf install httpd php7.4 mysql80
```
You must run this script as superuser (root). To do this, run the following command.
```
$ sudo sh -c "bash nameofscript.sh"
```
For more information, see [ User data and shell scripts](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-shell-scripts) in the *Amazon EC2 User Guide*.
**Note**
Instead of using a user-data script, launch the latest Amazon Linux AMI or a custom AMI that's based on the Amazon Linux AMI. The latest Amazon Linux AMI has all the necessary updates installed and is configured to point at a particular repository version.
## Getting package support information
AL2023 incorporates many different open-source software projects. Each of these projects is managed independently from Amazon Linux and have different release and end-of-support schedules. To provide you with Amazon Linux specific information about these different packages, the DNF `supportinfo` plugin provides metadata about a package. In the following example, the **dnf supportinfo** command returns metadata for the `glibc` package.
```
$ sudo dnf supportinfo --pkg glibc
Last metadata expiration check: 0:07:56 ago on Wed Mar 1 23:21:49 2023.
Name : glibc
Version : 2.34-52.amzn2023.0.2
State : installed
Support Status : supported
Support Periods : from 2023-03-15 : supported
: from 2028-03-15 : unsupported
Support Statement : Amazon Linux 2023 End Of Life
Link : https://aws.amazon.com/amazon-linux-ami/faqs/
Other Info : This is the support statement for AL2023. The
...: end of life of Amazon Linux 2023 would be March 2028.
...: From this point, the Amazon Linux 2023 packages (listed
...: below) will no longer, receive any updates from AWS.
```
Package support information is also available in the [support statements](https://docs.aws.amazon.com/linux/al2023/release-notes/support-info-by-support-statement.html) section of the [AL2023 Release Notes](https://docs.aws.amazon.com/linux/al2023/release-notes/).
## Checking for newer repository versions with `dnf check-release-update`
In an AL2023 instance, you can use the DNF utility to manage repositories and apply updated RPM packages. These packages are available in the Amazon Linux repositories. You can use the DNF command `dnf check-release-update` to check for new versions of the DNF repository.
**Note**
AL2023 container images do not include the `dnf check-release-update` command by default.
```
$ dnf check-release-update
No such command: check-release-update. Please use /usr/bin/dnf --help
It could be a DNF plugin command, try: "dnf install 'dnf-command(check-release-update)'"
```
When `dnf install 'dnf-command(check-release-update)'` is run, `dnf` will install the package which provides the `check-release-update` command, which is the `dnf-plugin-release-notification` package. In the below example, the `-q` argument is given to `dnf` for it to have quiet output.
```
$ dnf -y -q install 'dnf-command(check-release-update)'
Installed:
dnf-plugin-release-notification-1.2-1.amzn2023.0.2.noarch
```
In non-containerized environments such as an Amazon EC2 instance, the `check-release-update` command is included by default.
```
$ sudo dnf check-release-update
WARNING:
A newer release of "Amazon Linux" is available.
Available Versions:
Version 2023.0.20230210:
Run the following command to update to 2023.0.20230210:
dnf upgrade --releasever=2023.0.20230210
Release notes:
https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes.html
```
This returns a full list of all the newer versions of the DNF repositories that are available. If nothing's returned, this means that DNF is currently configured to use the latest available version. The version of the currently installed `system-release` package sets the `releasever` DNF variable. To check the current repository version, run the following command.
```
$ rpm -q system-release --qf "%{VERSION}\n"
```
When you run DNF package transactions (such as install, update, or remove commands), a warning message notifies you of any new repository versions. For example, if you install the `httpd` package on an instance that was launched from an older version of AL2023, the following output is returned.
```
$ sudo dnf install httpd -y
Last metadata expiration check: 0:16:52 ago on Wed Mar 1 23:21:49 2023.
Dependencies resolved.
====================================================================
Package Arch Version Repository Size
====================================================================
Installing:
httpd x86_64 2.4.54-3.amzn2023.0.4 amazonlinux 46 k
Installing dependencies:
apr x86_64 1.7.2-2.amzn2023.0.2 amazonlinux 129 k
apr-util x86_64 1.6.3-1.amzn2023.0.1 amazonlinux 98 k
generic-logos-httpd
noarch 18.0.0-12.amzn2023.0.3 amazonlinux 19 k
httpd-core x86_64 2.4.54-3.amzn2023.0.4 amazonlinux 1.3 M
httpd-filesystem noarch 2.4.54-3.amzn2023.0.4 amazonlinux 13 k
httpd-tools x86_64 2.4.54-3.amzn2023.0.4 amazonlinux 80 k
libbrotli x86_64 1.0.9-4.amzn2023.0.2 amazonlinux 315 k
mailcap noarch 2.1.49-3.amzn2023.0.3 amazonlinux 33 k
Installing weak dependencies:
apr-util-openssl x86_64 1.6.3-1.amzn2023.0.1 amazonlinux 17 k
mod_http2 x86_64 1.15.24-1.amzn2023.0.3 amazonlinux 152 k
mod_lua x86_64 2.4.54-3.amzn2023.0.4 amazonlinux 60 k
Transaction Summary
====================================================================
Install 12 Packages
Total download size: 2.3 M
Installed size: 6.8 M
Downloading Packages:
(1/12): apr-util-openssl-1.6.3-1.am 212 kB/s | 17 kB 00:00
(2/12): apr-1.7.2-2.amzn2023.0.2.x8 1.1 MB/s | 129 kB 00:00
(3/12): httpd-core-2.4.54-3.amzn202 8.9 MB/s | 1.3 MB 00:00
(4/12): mod_http2-1.15.24-1.amzn202 1.9 MB/s | 152 kB 00:00
(5/12): apr-util-1.6.3-1.amzn2023.0 1.7 MB/s | 98 kB 00:00
(6/12): mod_lua-2.4.54-3.amzn2023.0 1.4 MB/s | 60 kB 00:00
(7/12): httpd-2.4.54-3.amzn2023.0.4 1.5 MB/s | 46 kB 00:00
(8/12): libbrotli-1.0.9-4.amzn2023. 4.4 MB/s | 315 kB 00:00
(9/12): mailcap-2.1.49-3.amzn2023.0 753 kB/s | 33 kB 00:00
(10/12): httpd-tools-2.4.54-3.amzn2 978 kB/s | 80 kB 00:00
(11/12): httpd-filesystem-2.4.54-3. 210 kB/s | 13 kB 00:00
(12/12): generic-logos-httpd-18.0.0 439 kB/s | 19 kB 00:00
--------------------------------------------------------------------
Total 6.6 MB/s | 2.3 MB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : apr-1.7.2-2.amzn2023.0.2.x86_64 1/12
Installing : apr-util-openssl-1.6.3-1.amzn2023.0.1. 2/12
Installing : apr-util-1.6.3-1.amzn2023.0.1.x86_64 3/12
Installing : mailcap-2.1.49-3.amzn2023.0.3.noarch 4/12
Installing : httpd-tools-2.4.54-3.amzn2023.0.4.x86_ 5/12
Installing : generic-logos-httpd-18.0.0-12.amzn2023 6/12
Running scriptlet: httpd-filesystem-2.4.54-3.amzn2023.0.4 7/12
Installing : httpd-filesystem-2.4.54-3.amzn2023.0.4 7/12
Installing : httpd-core-2.4.54-3.amzn2023.0.4.x86_6 8/12
Installing : mod_http2-1.15.24-1.amzn2023.0.3.x86_6 9/12
Installing : libbrotli-1.0.9-4.amzn2023.0.2.x86_64 10/12
Installing : mod_lua-2.4.54-3.amzn2023.0.4.x86_64 11/12
Installing : httpd-2.4.54-3.amzn2023.0.4.x86_64 12/12
Running scriptlet: httpd-2.4.54-3.amzn2023.0.4.x86_64 12/12
Verifying : apr-1.7.2-2.amzn2023.0.2.x86_64 1/12
Verifying : apr-util-openssl-1.6.3-1.amzn2023.0.1. 2/12
Verifying : httpd-core-2.4.54-3.amzn2023.0.4.x86_6 3/12
Verifying : mod_http2-1.15.24-1.amzn2023.0.3.x86_6 4/12
Verifying : apr-util-1.6.3-1.amzn2023.0.1.x86_64 5/12
Verifying : mod_lua-2.4.54-3.amzn2023.0.4.x86_64 6/12
Verifying : libbrotli-1.0.9-4.amzn2023.0.2.x86_64 7/12
Verifying : httpd-2.4.54-3.amzn2023.0.4.x86_64 8/12
Verifying : httpd-tools-2.4.54-3.amzn2023.0.4.x86_ 9/12
Verifying : mailcap-2.1.49-3.amzn2023.0.3.noarch 10/12
Verifying : httpd-filesystem-2.4.54-3.amzn2023.0.4 11/12
Verifying : generic-logos-httpd-18.0.0-12.amzn2023 12/12
Installed:
apr-1.7.2-2.amzn2023.0.2.x86_64
apr-util-1.6.3-1.amzn2023.0.1.x86_64
apr-util-openssl-1.6.3-1.amzn2023.0.1.x86_64
generic-logos-httpd-18.0.0-12.amzn2023.0.3.noarch
httpd-2.4.54-3.amzn2023.0.4.x86_64
httpd-core-2.4.54-3.amzn2023.0.4.x86_64
httpd-filesystem-2.4.54-3.amzn2023.0.4.noarch
httpd-tools-2.4.54-3.amzn2023.0.4.x86_64
libbrotli-1.0.9-4.amzn2023.0.2.x86_64
mailcap-2.1.49-3.amzn2023.0.3.noarch
mod_http2-1.15.24-1.amzn2023.0.3.x86_64
mod_lua-2.4.54-3.amzn2023.0.4.x86_64
Complete!
```
## Adding, enabling, or disabling new repositories
**Warning**
Only add repositories designed to be used with AL2023.
While repositories designed for other distributions may work today, there is no guarantee they will continue to do so with any package update in AL2023 or the repository not designed for use with AL2023.
To install a package from a different repository than the default Amazon Linux repositories, you will need to configure the `DNF` package management system to know where the repostiory is
To tell `dnf` about a package repository, add the repository information to a configuration file for that repository in the `/etc/yum.repos.d/` directory. Many third-party repositories provide either the configuration file content or an installable package which includes the configuration file.
**Note**
While repositories can be configured directly in the `/etc/dnf/dnf.conf` file, this is not recommended. It is recommended that each repository be configured in its own file in `/etc/yum.repos.d/`.
**To find out what repositories are currently enabled, you can run the following command:**
```
$ dnf repolist all --verbose
Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, groups-manager, needs-restarting, playground, release-notification, repoclosure, repodiff, repograph, repomanage, reposync, supportinfo
DNF version: 4.12.0
cachedir: /var/cache/dnf
Last metadata expiration check: 0:00:02 ago on Wed Mar 1 23:40:15 2023.
Repo-id : amazonlinux
Repo-name : Amazon Linux 2023 repository
Repo-status : enabled
Repo-revision : 1677203368
Repo-updated : Fri Feb 24 01:49:28 2023
Repo-pkgs : 12632
Repo-available-pkgs: 12632
Repo-size : 12 G
Repo-mirrors : https://al2023-repos-us-west-2-de612dc2.s3.dualstack.us-west-2.amazonaws.com/core/mirrors/2023.0.20230222/x86_64/mirror.list
Repo-baseurl : https://al2023-repos-us-west-2-de612dc2.s3.dualstack.us-west-2.amazonaws.com/core/guids/cf9296325a6c46ff40c775a8e2d632c4c3fd9d9164014ce3304715d61b90ca8e/x86_64/
: (0 more)
Repo-expire : 172800 second(s) (last: Wed Mar 1 23:40:15
: 2023)
Repo-filename : /etc/yum.repos.d/amazonlinux.repo
Repo-id : amazonlinux-debuginfo
Repo-name : Amazon Linux 2023 repository - Debug
Repo-status : disabled
Repo-mirrors : https://al2023-repos-us-west-2-de612dc2.s3.dualstack.us-west-2.amazonaws.com/core/mirrors/2023.0.20230222/debuginfo/x86_64/mirror.list
Repo-expire : 21600 second(s) (last: unknown)
Repo-filename : /etc/yum.repos.d/amazonlinux.repo
Repo-id : amazonlinux-source
Repo-name : Amazon Linux 2023 repository - Source packages
Repo-status : disabled
Repo-mirrors : https://al2023-repos-us-west-2-de612dc2.s3.dualstack.us-west-2.amazonaws.com/core/mirrors/2023.0.20230222/SRPMS/mirror.list
Repo-expire : 21600 second(s) (last: unknown)
Repo-filename : /etc/yum.repos.d/amazonlinux.repo
Repo-id : kernel-livepatch
Repo-name : Amazon Linux 2023 Kernel Livepatch repository
Repo-status : disabled
Repo-mirrors : https://al2023-repos-us-west-2-de612dc2.s3.dualstack.us-west-2.amazonaws.com/kernel-livepatch/mirrors/al2023/x86_64/mirror.list
Repo-expire : 172800 second(s) (last: unknown)
Repo-filename : /etc/yum.repos.d/kernel-livepatch.repo
Repo-id : kernel-livepatch-source
Repo-name : Amazon Linux 2023 Kernel Livepatch repository -
: Source packages
Repo-status : disabled
Repo-mirrors : https://al2023-repos-us-west-2-de612dc2.s3.dualstack.us-west-2.amazonaws.com/kernel-livepatch/mirrors/al2023/SRPMS/mirror.list
Repo-expire : 21600 second(s) (last: unknown)
Repo-filename : /etc/yum.repos.d/kernel-livepatch.repo
Total packages: 12632
```
**Note**
If you don't add the `--verbose` option flag, the output only includes the `Repo-id`, `Repo-name`, and `Repo-status` information.
**To add a `yum` repository to `/etc/yum.repos.d` directory:**
1. Find the location of the `.repo` file. In this example, the `.repo` file is at `https://www.example.com/repository.repo`.
1. Add the repository with the `dnf config-manager` command.
```
$ sudo dnf config-manager --add-repo https://www.example.com/repository.repo
Loaded plugins: priorities, update-motd, upgrade-helper
adding repo from: https://www.example.com/repository.repo
grabbing file https://www.example.com/repository.repo to /etc/yum.repos.d/repository.repo
repository.repo | 4.0 kB 00:00
repo saved to /etc/yum.repos.d/repository.repo
```
After you install a repository, you must enable it as described in the next procedure.
****To enable a `yum` repository in `/etc/yum.repos.d`, use the `dnf config-manager` command with the `--enable` flag and *repository* name.
```
$ sudo dnf config-manager --enable repository
```
**Note**
To disable a repository, use the same command syntax, but replace `--enable` with `--disable` in the command.
## Adding repositories with cloud-init
In addition to adding a repository using the previous method, you can also add a new repository using the `cloud-init` framework.
To add a new package repository, we recommend the use of the following template. Consider saving this file locally.
```
#cloud-config
yum_repos:
repository.repo:
baseurl: https://www.example.com/
enabled: true
gpgcheck: true
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EXAMPLE
name: Example Repository
```
**Note**
One advantage to using `cloud-init` is that you can add a `packages:` section to your configuration file. In this section, you can include the names of the packages that you want to install. You can install packages from either the default repository or the new repository that you added in the `cloud-config` file.
For more specific information about the structure of the YAML file, see [Adding a YUM repository](https://cloudinit.readthedocs.io/en/22.2.2/topics/examples.html#adding-a-yum-repository) in the *`cloud-init` documentation*.
After you set up the YAML format file, you can run it in the `cloud-init` framework in the AWS CLI. Make sure to include the `--userdata` option and the name of the `.yml` file to call the desired operations.
```
$ aws ec2 run-instances \
--image-id \
resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64 \
--instance-type m5.xlarge \
--region us-east-1 \
--key-name aws-key-us-east-1 \
--security-group-ids sg-004a7650 \
--user-data file://cloud-config.yml
```
# Kernel Live Patching on AL2023
You can use Kernel Live Patching for AL2023 to apply specific security vulnerability and critical bug patches to a running Linux kernel without rebooting or disrupting running applications. In addition, Kernel Live Patching can help improve your application's availability while applying these fixes until the system can be rebooted.
AWS releases two types of kernel live patches for AL2023:
+ **Security updates** – Include updates for Linux common vulnerabilities and exposures (CVE). These updates are typically rated as *important* or *critical* using the Amazon Linux Security Advisory ratings. They generally map to a Common Vulnerability Scoring System (CVSS) score of 7 and higher. In some cases, AWS might provide updates before a CVE is assigned. In these cases, the patches might appear as bug fixes.
+ **Bug fixes** – Include fixes for critical bugs and stability issues that aren't associated with CVEs.
AWS provides kernel live patches for an AL2023 kernel version for up to 3 months after its release. After this period, you must update to a later kernel version to continue to receive kernel live patches.
AL2023 kernel live patches are made available as signed RPM packages in the existing AL2023 repositories. The patches can be installed on individual instances using existing **DNF package manager** workflows. Or, they can be installed on a group of managed instances using AWS Systems Manager.
Kernel Live Patching on AL2023 is provided at no additional cost.
**Topics**
+ [Limitations](#live-patching-limitations)
+ [Supported configurations and prerequisites](#live-patching-prereq)
+ [Work with Kernel Live Patching](#working-with-live-patching)
## Limitations
While applying a kernel live patch, you can't perform hibernation, use advanced debugging tools (such as `SystemTap`, `kprobes`, and `eBPF`-based tools), or access `ftrace` output files used by the Kernel Live Patching infrastructure.
**Note**
Due to technical limitations, some issues cannot be addressed with live patching. Because of that, these fixes will not be shipped in the kernel live patch package but only in the native kernel package update. You can install the native kernel package and [update and reboot](https://docs.aws.amazon.com/linux/al2023/ug/updating.html) the system to activate the patches as usual.
## Supported configurations and prerequisites
Kernel Live Patching is supported on Amazon EC2 instances and on-premises virtual machines that run AL2023.
To use Kernel Live Patching on AL2023, you must use the following:
+ A 64-bit `x86_64` or `ARM64` architecture
+ Kernel version `6.1` or `6.12`
### Policy requirements
To download packages from AL2023 repositories, Amazon EC2 needs access to service owned Amazon S3 buckets. If you are using a Amazon Virtual Private Cloud (VPC) endpoint for Amazon S3 in your environment, ensure that your VPC endpoint policy allows access to those public buckets. The following table describes the Amazon S3 bucket that Amazon EC2 might need to access for Kernel Live Patching.
| S3 bucket ARN | Description |
| --- | --- |
| arn:aws:s3:::al2023-repos-*region*-de612dc2/\$1 | Amazon S3 bucket containing AL2023 repositories |
## Work with Kernel Live Patching
You can enable and use Kernel Live Patching on individual instances using the command line on the instance itself. Alternatively, you can enable and use Kernel Live Patching on a group of managed instances using AWS Systems Manager.
The following sections explain how to enable and use Kernel Live Patching on individual instances using the command line.
For more information about enabling and using Kernel Live Patching on a group of managed instances, see [Use Kernel Live Patching on AL2023 instances](https://docs.aws.amazon.com/systems-manager/latest/userguide/kernel-live-patching.html) in the *AWS Systems Manager User Guide*.
**Topics**
+ [Enable Kernel Live Patching](#live-patching-enable)
+ [View the available kernel live patches](#live-patching-view-available)
+ [Apply kernel live patches](#live-patching-apply)
+ [View the applied kernel live patches](#live-patching-view)
+ [Disable Kernel Live Patching](#live-patching-disable)
### Enable Kernel Live Patching
Kernel Live Patching is disabled by default on AL2023. To use live patching, you must install the **DNF** plugin for Kernel Live Patching and enable the live patching functionality.
**To enable Kernel Live Patching**
1. Kernel live patches are available for AL2023 with kernel version `6.1`. To check your kernel version, run the following command.
```
$ sudo dnf list kernel
```
1. Install the **DNF** plugin for Kernel Live Patching.
```
$ sudo dnf install -y kpatch-dnf
```
1. Enable the **DNF** plugin for Kernel Live Patching.
```
$ sudo dnf kernel-livepatch -y auto
```
This command also installs the latest version of the kernel live patch RPM from the configured repositories.
1. To confirm that the **DNF** plugin for kernel live patching installed successfully, run the following command.
When you enable Kernel Live Patching, an empty kernel live patch RPM is automatically applied. If Kernel Live Patching was successfully enabled, this command returns a list that includes the initial empty kernel live patch RPM (and another RPM setting up the DNF repository containing the livepatches).
```
$ sudo rpm -qa | grep kernel-livepatch
kernel-livepatch-repo-s3-2023.7.20250428-0.amzn2023.noarch
kernel-livepatch-6.1.134-150.224-1.0-0.amzn2023.x86_64
```
1. Install the **kpatch** package.
```
$ sudo dnf install -y kpatch-runtime
```
1. Update the **kpatch** service if it was previously installed.
```
$ sudo dnf upgrade kpatch-runtime
```
1. Start the **kpatch** service. This service loads all of the kernel live patches upon initialization or at boot.
```
$ sudo systemctl enable kpatch.service && sudo systemctl start kpatch.service
```
### View the available kernel live patches
Amazon Linux security alerts are published to the Amazon Linux Security Center. For more information about the AL2023 security alerts, including alerts for kernel live patches, see the [Amazon Linux Security Center](https://alas.aws.amazon.com/alas2023.html). Kernel live patches are prefixed with `ALASLIVEPATCH`. The Amazon Linux Security Center might not list kernel live patches that address bugs.
You can also discover the available kernel live patches for advisories and CVEs using the command line.
**To list all available kernel live patches for advisories**
Use the following command.
```
$ sudo dnf updateinfo list
Last metadata expiration check: 1:06:23 ago on Mon 13 Feb 2023 09:28:19 PM UTC.
ALAS2LIVEPATCH-2021-123 important/Sec. kernel-livepatch-6.1.12-17.42-1.0-4.amzn2023.x86_64
ALAS2LIVEPATCH-2022-124 important/Sec. kernel-livepatch-6.1.12-17.42-1.0-3.amzn2023.x86_64
```
**To list all available kernel live patches for CVEs**
Use the following command.
```
$ sudo dnf updateinfo list cves
Last metadata expiration check: 1:07:26 ago on Mon 13 Feb 2023 09:28:19 PM UTC.
CVE-2022-0123 important/Sec. kernel-livepatch-6.1.12-17.42-1.0-4.amzn2023.x86_64
CVE-2022-3210 important/Sec. kernel-livepatch-6.1.12-17.42-1.0-3.amzn2023.x86_64
```
### Apply kernel live patches
You apply kernel live patches using the **DNF** package manager in the same way that you apply regular updates. The **DNF** plugin for Kernel Live Patching manages the kernel live patches that are available to be applied.
**Tip**
We recommend that you update your kernel regularly using Kernel Live Patching to ensure that it receives specific important and critical security fixes until the system can be rebooted. Please also check if additional fixes have been made available to the native kernel package that cannot be deployed as live patches and [update and reboot](https://docs.aws.amazon.com/linux/al2023/ug/updating.html) into the kernel update for those cases.
You can choose to apply a specific kernel live patch, or to apply any available kernel live patches along with your regular security updates.
**To apply a specific kernel live patch**
1. Get the kernel live patch version using one of the commands described in [View the available kernel live patches](#live-patching-view-available).
1. Apply the kernel live patch for your AL2023 kernel.
```
$ sudo dnf install kernel-livepatch-kernel_version-package_version.amzn2023.x86_64
```
For example, the following command applies a kernel live patch for AL2023 kernel version `6.1.12-17.42`
```
$ sudo dnf install kernel-livepatch-6.1.12-17.42-1.0-4.amzn2023.x86_64
```
**To apply any available kernel live patches along with your regular security updates**
Use the following command.
```
$ sudo dnf upgrade --security
```
Omit the `--security` option to include bug fixes.
**Important**
The kernel version isn't updated after applying kernel live patches. The version is only updated to the new version after the instance is rebooted.
An AL2023 kernel receives kernel live patches for 3 months. After this period, no new kernel live patches are released for that kernel version.
To continue to receive kernel live patches after 3 months, you must reboot the instance to move to the new kernel version. The instance continues to receive kernel live patches for the next 3 months after you update it.
To check the support window for your kernel version, run the following command:
```
$ sudo dnf kernel-livepatch support
The current version of the Linux kernel you are running will no longer receive live patches after 2025-07-22.
```
### View the applied kernel live patches
**To view the applied kernel live patches**
Use the following command.
```
$ sudo kpatch list
Loaded patch modules:
livepatch_CVE_2022_36946 [enabled]
Installed patch modules:
livepatch_CVE_2022_36946 (6.1.57-29.131.amzn2023.x86_64)
livepatch_CVE_2022_36946 (6.1.57-30.131.amzn2023.x86_64)
```
The command returns a list of the loaded and installed security update kernel live patches. The following is example output.
**Note**
A single kernel live patch can include and install multiple live patches.
### Disable Kernel Live Patching
If you no longer need to use Kernel Live Patching, you can disable it at any time.
+ Disable the use of livepatches:
1. Disable the plugin:
```
$ sudo dnf kernel-livepatch manual
```
1. Disable the kpatch service:
```
$ sudo systemctl disable --now kpatch.service
```
+ Fully remove the livepatch tools:
1. Remove the plugin:
```
$ sudo dnf remove kpatch-dnf
```
1. Remove kpatch-runtime:
```
$ sudo dnf remove kpatch-runtime
```
1. Remove any installed livepatches:
```
$ sudo dnf remove kernel-livepatch\*
```
# Updating the Linux Kernel on AL2023
**Topics**
+ [Linux Kernel Versions on AL2023](#al2023-kernels)
+ [Updating AL2023 to a Newer Kernel Version](#kernelup)
+ [AL2023 kernels - Frequently Asked Questions](#al2023-kernel-faq)
## Linux Kernel Versions on AL2023
AL2023 regularly includes new kernel versions based on Long-Term Support (LTS) versions of the Linux kernel.
AL2023 was originally released in March 2023 with kernel 6.1.
In April 2025, AL2023 added support for Linux kernel 6.12. This kernel added new features including EEVDF scheduling, FUSE passthrough I/O support, a new Futex API, and improvements in eBPF. Kernel 6.12 also allows a userspace program to secure itself at runtime using user-space shadow stacks and memory sealing.
In March 2026, AL2023 added support for Linux kernel 6.18. The updated kernel 6.18 brings additional improvements in processor support, virtualization, security, and performance. Notable features include improved IOMMU capabilities across architectures and Attack Vector Controls for managing CPU vulnerability mitigations. Performance enhancements come through cryptography optimizations with faster FSCRYPT operations, memory management improvements, and the introduction of Sheaves as a new opt-in, per-CPU array-based caching layer.
## Updating AL2023 to a Newer Kernel Version
Starting in June 2026, AL2023 will update the default kernel annually. The [`al2023-ami-kernel-default`](ec2.md#launch-via-aws-cli) set of AMIs will be updated to the latest LTS kernel, so that newly launched instances will automatically come up with the new kernel version — this is the simplest way to stay current with the latest security fixes and performance improvements.
If you prefer to choose a specific kernel version, you can run AL2023 with kernel 6.12 or 6.18 either by selecting an AMI with the desired kernel pre-installed or by upgrading an existing AL2023 EC2 instance.
### Running an AL2023 AMI with a specific kernel version
You may select to run an AL2023 AMI with a specific kernel pre-installed through the AWS Console or by querying SSM for specific parameters. The SSM keys to query start with `/aws/service/ami-amazon-linux-latest/` followed by one of
#### For kernel 6.12
+ `al2023-ami-kernel-6.12-arm64` for arm64 architecture
+ `al2023-ami-minimal-kernel-6.12-arm64` for arm64 architecture (minimal AMI)
+ `al2023-ami-kernel-6.12-x86_64` for x86\$164 architecture
+ `al2023-ami-minimal-kernel-6.12-x86_64` for x86\$164 architecture (minimal AMI)
#### For kernel 6.18
+ `al2023-ami-kernel-6.18-arm64` for arm64 architecture
+ `al2023-ami-minimal-kernel-6.18-arm64` for arm64 architecture (minimal AMI)
+ `al2023-ami-kernel-6.18-x86_64` for x86\$164 architecture
+ `al2023-ami-minimal-kernel-6.18-x86_64` for x86\$164 architecture (minimal AMI)
Please see [Launching AL2023 using the SSM parameter and AWS CLI](ec2.md#launch-via-aws-cli) for details on selecting AL2023 AMIs.
### Updating an AL2023 instance to a newer kernel
You can in-place upgrade a running AL2023 instance to kernel 6.12 or 6.18 with the following steps:
1. Detect current kernel and set target version:
```
# Automatically detect current kernel version BEFORE upgrade
$ CURRENT_KERNEL=$(uname -r)
$ SOURCE_VERSION=""
$ if [[ $CURRENT_KERNEL == *"6.12"* ]]; then
SOURCE_VERSION="6.12"
else
SOURCE_VERSION=""
fi
# Save the source version to a persistent location for use after reboot
$ echo "${SOURCE_VERSION}" | sudo tee /var/lib/source_kernel_version > /dev/null
```
```
# Set your target version (change this to your desired kernel: 6.12 or 6.18)
$ TARGET_VERSION="6.12"
```
```
$ echo "Current kernel: ${SOURCE_VERSION:-6.1}"
$ echo "Upgrading to kernel ${TARGET_VERSION}"
```
1. Install the target kernel package:
```
$ sudo dnf install -y kernel${TARGET_VERSION}
```
1. Get the latest version of the target kernel package:
```
$ version=$(rpm -q --qf '%{version}-%{release}.%{arch}\n' kernel${TARGET_VERSION} | sort -V | tail -1)
```
1. Make the new kernel your default kernel:
```
$ sudo grubby --set-default "/boot/vmlinuz-$version"
```
1. Reboot your system:
```
$ sudo reboot
```
1. Uninstall the previous kernel:
```
# Read the source kernel version from the saved file
$ SOURCE_VERSION=$(sudo cat /var/lib/source_kernel_version)
# Uninstall the source kernel
$ sudo dnf remove -y kernel${SOURCE_VERSION}
```
1. Replace extra kernel packages with their target kernel equivalents:
```
# Set your target version (change this to your desired kernel: 6.12 or 6.18)
$ TARGET_VERSION="6.12"
```
```
$ declare -A pkgs
$ pkgs=(
[bpftool${SOURCE_VERSION}]=bpftool${TARGET_VERSION}
[kernel${SOURCE_VERSION}-debuginfo]=kernel${TARGET_VERSION}-debuginfo
[kernel${SOURCE_VERSION}-debuginfo-common]=kernel${TARGET_VERSION}-debuginfo-common
[kernel${SOURCE_VERSION}-headers]=kernel${TARGET_VERSION}-headers
[kernel${SOURCE_VERSION}-libbpf]=kernel${TARGET_VERSION}-libbpf
[kernel${SOURCE_VERSION}-libbpf-devel]=kernel${TARGET_VERSION}-libbpf-devel
[kernel${SOURCE_VERSION}-libbpf-static]=kernel${TARGET_VERSION}-libbpf-static
[kernel${SOURCE_VERSION}-modules-extra-common]=kernel${TARGET_VERSION}-modules-extra-common
[kernel${SOURCE_VERSION}-tools]=kernel${TARGET_VERSION}-tools
[kernel${SOURCE_VERSION}-tools-devel]=kernel${TARGET_VERSION}-tools-devel
[perf${SOURCE_VERSION}]=perf${TARGET_VERSION}
[python3-perf${SOURCE_VERSION}]=python3-perf${TARGET_VERSION}
)
$ for pkg in "${!pkgs[@]}"; do
rpm -q $pkg && sudo dnf -y swap $pkg "${pkgs["$pkg"]}" ;
done
```
1. (Optional) Uninstall kernel-devel for previous kernel version:
```
$ rpm -q kernel${SOURCE_VERSION}-devel && sudo dnf remove -y kernel${SOURCE_VERSION}-devel
```
### Downgrading to an earlier kernel version
If at any point in time you need to downgrade back to an earlier kernel version, use the following steps:
1. Detect current kernel and set target version:
```
# Automatically detect current kernel version BEFORE downgrade
$ CURRENT_KERNEL=$(uname -r)
$ SOURCE_VERSION=""
$ if [[ $CURRENT_KERNEL == *"6.12"* ]]; then
SOURCE_VERSION="6.12"
elif [[ $CURRENT_KERNEL == *"6.18"* ]]; then
SOURCE_VERSION="6.18"
fi
# Save the source version to a persistent location for use after reboot
$ echo "${SOURCE_VERSION}" | sudo tee /var/lib/source_kernel_version > /dev/null
```
```
# Set your target version (change this to your desired kernel)
# Use "" for kernel 6.1, "6.12" for kernel 6.12
$ TARGET_VERSION=""
```
```
$ echo "Downgrading from kernel ${SOURCE_VERSION:-6.1} to kernel ${TARGET_VERSION:-6.1}"
```
1. Replace extra kernel packages with their target kernel equivalents:
```
$ declare -A pkgs
$ pkgs=(
[bpftool${TARGET_VERSION}]=bpftool${SOURCE_VERSION}
[kernel${TARGET_VERSION}-debuginfo]=kernel${SOURCE_VERSION}-debuginfo
[kernel${TARGET_VERSION}-debuginfo-common]=kernel${SOURCE_VERSION}-debuginfo-common
[kernel${TARGET_VERSION}-headers]=kernel${SOURCE_VERSION}-headers
[kernel${TARGET_VERSION}-libbpf]=kernel${SOURCE_VERSION}-libbpf
[kernel${TARGET_VERSION}-libbpf-devel]=kernel${SOURCE_VERSION}-libbpf-devel
[kernel${TARGET_VERSION}-libbpf-static]=kernel${SOURCE_VERSION}-libbpf-static
[kernel${TARGET_VERSION}-modules-extra-common]=kernel${SOURCE_VERSION}-modules-extra-common
[kernel${TARGET_VERSION}-tools]=kernel${SOURCE_VERSION}-tools
[kernel${TARGET_VERSION}-tools-devel]=kernel${SOURCE_VERSION}-tools-devel
[perf${TARGET_VERSION}]=perf${SOURCE_VERSION}
[python3-perf${TARGET_VERSION}]=python3-perf${SOURCE_VERSION}
)
$ for pkg in "${!pkgs[@]}"; do
rpm -q "${pkgs["$pkg"]}" && sudo dnf -y swap "${pkgs["$pkg"]}" $pkg ;
done
```
1. Install the target kernel package:
```
$ sudo dnf install -y kernel${TARGET_VERSION}
```
1. Get the latest version of the target kernel package:
```
$ version=$(rpm -q --qf '%{version}-%{release}.%{arch}\n' kernel${TARGET_VERSION} | sort -V | tail -1)
```
1. Make the target kernel your default kernel:
```
$ sudo grubby --set-default "/boot/vmlinuz-$version"
```
1. Reboot your system:
```
$ sudo reboot
```
1. Uninstall the source kernel:
```
# Read the source kernel version from the saved file
$ SOURCE_VERSION=$(sudo cat /var/lib/source_kernel_version)
# Uninstall the source kernel
$ sudo dnf remove -y kernel${SOURCE_VERSION}
```
## AL2023 kernels - Frequently Asked Questions
### 1. Do I need to reboot after a kernel update?
Every change to the running kernel requires a reboot.
### 2. How do I keep kernels up-to-date across multiple instances?
Amazon Linux does not provide facilities to manage fleets of instances. We recommend you patch large fleets using tools like [AWS Systems Manager](https://aws.amazon.com/systems-manager/).
### 3. How do I check which kernel version I am running right now?
Execute this command on your AL2023 instance:
```
$ uname -r
```
### 4. Which kernel does AL2023 recommend me to use?
It is recommended to upgrade to latest AL2023 kernel 6.18 while all the other AL2023 kernels are still supported. Customers are recommended to test their workloads before they upgrade.
### 5. Will my existing applications work with any AL2023 kernel?
AL2023 supports a newer kernel (6.12 or 6.18) the same way as kernel 6.1. Applications will work and improvements are happening under the hood. Customers should in any case test their specific workloads before switching to a newer kernel.
### 6. How do I install kernel headers, development packages, and extra modules for kernel 6.12 or 6.18?
Please run:
```
$ version=$(uname -r | grep -oP '^\d+\.\d+')
$ sudo dnf install -y kernel${version}-modules-extra-$(uname -r) kernel${version}-headers-$(uname -r) kernel${version}-devel-$(uname -r)
```
### 7. How long kernel 6.12 and 6.18 will be supported?
Kernel 6.12 and 6.18 will be supported until the planned end of life of Amazon Linux 2023, which is 2029-06-30.