# What is Amazon Linux 2023?
Amazon Linux 2023 (AL2023) is the next generation of Amazon Linux from Amazon Web Services (AWS). With AL2023, you can develop and run cloud and enterprise applications in a secure, stable, and high-performance runtime environment. Also you get an application environment that offers long-term support with access to the latest innovations in Linux. AL2023 is provided at no additional charge.
AL2023 is the successor to Amazon Linux 2 (AL2). For information about the differences between AL2023 and AL2, see [Comparing AL2 and AL2023](compare-with-al2.md) and [Package changes in AL2023](https://docs.aws.amazon.com/linux/al2023/release-notes/compare-packages.html).
**Topics**
+ [Release cadence](release-cadence.md)
+ [Naming and versioning](naming-and-versioning.md)
+ [Performance and operational optimizations](performance-optimizations.md)
+ [Relationship to Fedora](relationship-to-fedora.md)
+ [Customized cloud-init](cloud-init.md)
+ [Security updates and features](security-features.md)
+ [Networking service](networking-service.md)
+ [Core toolchain packages glibc, gcc, binutils](core-glibc.md)
+ [Package management tool](package-management.md)
+ [Default SSH server configuration](ssh-host-keys-disabled.md)
# Release cadence
Amazon Linux 2023 (AL2023) was released in March 2023 and will be supported until June 30, 2029. There are two phases of support:
+ **Standard support** – During this phase, the release receives quarterly minor version updates. The standard support phase ends June 30, 2027.
+ **Maintenance** – During this phase, the release receives only security updates and critical bug fixes. These updates are published as soon as they're available. The maintenance phase ends June 30, 2029.
## Major and minor releases
With every Amazon Linux release (major version, minor version, or a security release), we release a new Linux Amazon Machine Image (AMI).
+ **Major version release**— Includes new features and improvements in security and performance across the stack. The improvements might include major changes to the kernel, toolchain, Glib C, OpenSSL, and any other system libraries and utilities. Major releases of Amazon Linux are based in part on the current version of the upstream Fedora Linux distribution. AWS might add or replace specific packages from other non-Fedora upstreams.
+ **Minor version release**— A quarterly update that includes security updates, bug fixes, and new features and packages. Each minor version is a cumulative list of updates that includes security and bug fixes in addition to new features and packages. These releases might include latest language runtimes, such as PHP. They might also include other popular software packages such as Ansible and Docker.
## Consuming new releases
Updates are provided through a combination of new Amazon Machine Image (AMI) releases and corresponding new repositories. By default, a new AMI and the repository that it points to are coupled. However, you can point your running Amazon EC2 instances to newer repository versions over time to apply updates on the running instances. You can also update by launching new instances of the latest AMIs.
## Long-term support policy
Amazon Linux provides updates for all of your packages and maintains compatibility within a major version for your applications that are built on Amazon Linux. Core packages such as the glibc library, OpenSSL, OpenSSH, and the DNF package manager receive support for the lifetime of the major AL2023 release. Packages that aren't part of the core packages are supported based on their specific upstream sources. You can see the specific support status and dates of individual packages by running the following command.
```
$ sudo dnf supportinfo --pkg packagename
```
You can get information on all currently installed packages by running the following command.
```
$ sudo dnf supportinfo --show installed
```
The full list of core packages is finalized during the preview. If you want to see more packages included as core packages, tell us. We evaluate as we are collecting feedback. Feedback on AL2023 can be provided through your designated AWS representative or by filing an issue in the [amazon-linux-2023 repo](https://github.com/amazonlinux/amazon-linux-2023/issues) on GitHub.
# Naming and versioning
AL2023 provides a minor release every three months during the two years of standard support. Each release is identified by an increment from 0 to N. 0 refers to the original major release for that iteration. All releases will be called Amazon Linux 2023. When the next version of Amazon Linux is released, AL2023 will enter extended support and receive updates for security updates and critical bug fixes.
For example, minor releases of AL2023 have the following format:
+ `2023.0.20230301`
+ `2023.1.20230601`
+ `2023.2.20230901`
The corresponding AL2023 AMIs have the following format:
+ `al2023-ami-2023.0.20230301.0-kernel-6.1-x86_64`
+ `al2023-ami-2023.1.20230601.0-kernel-6.1-x86_64`
+ `al2023-ami-2023.2.20230901.0-kernel-6.1-x86_64`
Within a specific minor version, regular AMI releases occur with a timestamp of the date of the AMI release.
+ `al2023-ami-2023.0.20230301.0-kernel-6.1-x86_64`
+ `al2023-ami-2023.0.20230410.0-kernel-6.1-x86_64`
+ `al2023-ami-2023.0.20230520.0-kernel-6.1-x86_64`
The recommended method for identifying an AL2 or AL2023 instance starts with reading the Common Platform Enumeration (CPE) string from `/etc/system-release-cpe`. Then, split the string into its fields. Finally, read the platform and version values.
AL2023 also introduces new files for platform identification:
+ `/etc/amazon-linux-release` symlinks to `/etc/system-release`
+ `/etc/amazon-linux-release-cpe` symlinks to `/etc/system-release-cpe`
These two files indicate that an instance is Amazon Linux. There's no need to read a file or split the string into fields, unless you want to know the specific platform and version values.
# Performance and operational optimizations
**Amazon Linux 6.1 kernel**
+ AL2023 uses the latest drivers for Elastic Network Adapter (ENA) and Elastic Fabric Adapter (EFA) devices. AL2023 focuses on performance and functionality backports for hardware in Amazon EC2 infrastructure.
+ Kernel live patching is available for the `x86_64` and `aarch64` instance types. This reduces the need for frequent reboots.
+ All kernel build and runtime configurations include many of the same performance and operational optimizations of AL2.
**Base toolchain selection and default build flags**
+ AL2023 packages are built with compiler optimizations (`-O2`) enabled by default
+ AL2023 packages are built requiring `x86-64v2` for `x86-64` systems (`-march=x86-64-v2`), and Graviton 2 or higher for `aarch64` (`-march=armv8.2-a+crypto -mtune=neoverse-n1`).
+ AL2023 packages are built with auto-vectorization enabled (`-ftree-vectorize`).
+ AL2023 packages are built with Link Time Optimization (LTO) enabled.
+ AL2023 uses the updated versions of Rust, Clang/LLVM, and Go.
**Package selection and versions**
+ Select backports to major system components include several performance improvements for running on Amazon EC2 infrastructure, especially Graviton instances.
+ AL2023 is integrated with several AWS services and features. This includes the AWS CLI, SSM Agent, Amazon Kinesis Agent, and CloudFormation.
+ AL2023 uses Amazon Corretto as the Java Development Kit (JDK).
+ AL2023 provides database engines and programming language runtime updates to newer versions as they're released by upstream projects. Programming language runtimes with new versions are added when they're released.
**Deployment in a cloud environment**
+ The base AL2023 AMI and container images are frequently updated to support patching instance replacement.
+ Kernel updates are included in AL2023 AMI updates. This means that you don't need to use commands such as `yum update` and `reboot` to update your kernel.
+ In addition to the standard AL2023 AMI, a minimal AMI and container image is also available. Choose the minimal AMI to run an environment with the minimal number of packages that's required to run your service.
+ By default, AL2023 AMIs and containers are locked to a specific version of the package repositories. There's no auto-update when they're launched. This means that you're always in control of when you ingest any package update. You can always test in a beta/gamma environment before rolling out to production. If there's a problem, you can use the pre-validated rollback path.
# Relationship to Fedora
AL2023 maintains its own release and support lifecycles independent of Fedora. AL2023 provides updated versions of open-source software, a larger variety of packages, and frequent releases. This preserves the familiar RPM-based operating systems.
The Generally Available (GA) version of AL2023 isn't directly comparable to any specific Fedora release. The AL2023 GA version includes components from Fedora 34, 35, and 36. Some of the components are the same as the components in Fedora and some are modified. Other components more closely resemble the components in CentOS Stream 9 or were developed independently. The Amazon Linux kernel is sourced from the long-term support options that are on kernel.org, chosen independently from Fedora.
# Customized cloud-init
The cloud-init package is an open-source application that bootstraps Linux images in a cloud computing environment. For more information, see [cloud-init Documentation](https://cloudinit.readthedocs.io/en/22.2.2/).
AL2023 contains a customized version of cloud-init. With cloud-init, you can specify what occurs to your instance at boot time.
When you launch an instance, you can use the user-data fields to pass actions to cloud-init. This means that you can use common Amazon Machine Images (AMIs) for many use cases and configure them dynamically when you start an instance. AL2023 also uses cloud-init to configure the `ec2-user` account.
AL2023 uses the cloud-init actions in `/etc/cloud/cloud.cfg.d` and `/etc/cloud/cloud.cfg`. You can create your own cloud-init action files in the `/etc/cloud/cloud.cfg.d` directory. Cloud-init reads all the files in this directory in lexicographical order. Later files overwrite values in earlier files. When cloud-init launches an instance, the cloud-init package does the following configuration tasks:
+ Sets the default locale
+ Sets the hostname
+ Parses and handles user-data
+ Generates host private SSH keys
+ Adds a user's public SSH keys to `.ssh/authorized_keys` for easy login and administration
+ Prepares the repositories for package management
+ Handles package actions that are defined in user-data
+ Runs user scripts that are in user-data
+ Mounts instance store volumes, if applicable
+ By default, if the `ephemeral0` instance store volume is present and contains a valid file system, the instance store volume is mounted at `/media/ephemeral0`. Otherwise, it's not mounted.
+ By default, for the `m1.small` and `c1.medium` instance types, all swap volumes that are associated with the instance are mounted.
+ You can override the default instance store volume mount with the following cloud-init directive:
```
#cloud-config
mounts:
- [ ephemeral0 ]
```
For more control over mounts, see [Mounts](https://cloudinit.readthedocs.io/en/22.2.2/topics/modules.html#mounts) in the cloud-init documentation.
+ When an instance launches, instance store volumes that support TRIM aren't formatted. Before you can mount instance store volumes, you must partition and format instance store volumes.
For more information, see [Instance store volume TRIM support](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ssd-instance-store.html#InstanceStoreTrimSupport) in the *Amazon EC2 User Guide*.
+ When you launch your instances, you can use the `disk_setup` module to partition and format your instance store volumes.
For more information, see [Disk Setup](https://cloudinit.readthedocs.io/en/22.2.2/topics/modules.html#disk-setup) in the cloud-init documentation.
For information about using cloud-init with SELinux, see [Use cloud-init to enable `enforcing` mode](enforcing-mode.md#cloud-init-enforcing).
For information about cloud-init user-data formats, see [User-Data Formats](https://cloudinit.readthedocs.io/en/22.2.2/topics/format.html#format) in the cloud-init documentation.
# Security updates and features
AL2023 provides many security updates and solutions.
**Topics**
+ [Manage updates](#manage-updates)
+ [Security in the cloud](#cloud-security)
+ [SELinux modes](#setting-selinux)
+ [Compliance program](#compliance-program)
+ [SSH server default](#ssh-server-default)
+ [Major features of OpenSSL 3](#openssl-3)
## Manage updates
Apply security updates using DNF and repository versions. For more information, see [Manage package and operating system updates in AL2023](managing-repos-os-updates.md).
## Security in the cloud
Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security of the cloud and security in the cloud. For more information, see [Security and Compliance in Amazon Linux 2023](security.md).
## SELinux modes
By default, SELinux is enabled and set to permissive mode in AL2023. In permissive mode, permission denials are logged but not enforced.
The SELinux policies define permissions for users, processes, programs, files, and devices. With SELinux, you can choose one of two policies. The policies are targeted or multi-level security (MLS).
For more information about SELinux modes and policy, see [Setting SELinux modes for AL2023](selinux-modes.md) and [ the SELinux Project Wiki](http://selinuxproject.org/page/Main_Page).
## Compliance program
Independent auditors assess the security and compliance of AL2023 along with many AWS compliance programs.
## SSH server default
AL2023 includes OpenSSH 8.7. OpenSSH 8.7 by default disables the `ssh-rsa` key exchange algorithm. For more information, see [Default SSH server configuration](ssh-host-keys-disabled.md).
## Major features of OpenSSL 3
+ The Certificate Management Protocol (CMP, RFC 4210) includes both CRMF (RFC 4211) and HTTP transfer (RFC 6712).
+ A HTTP or HTTPS client in libcrypto supports GET and POST actions, redirection, plain and ASN.1-encoded content, proxies, and timeouts.
+ The EVP\$1KDF works with Key Derivation Functions.
+ The EVP\$1MAC API works with MACs.
+ Linux Kernel TLS support.
For more information, see the [OpenSSL migration guide](https://www.openssl.org/docs/man3.0/man7/migration_guide.html).
# Networking service
The open-source project `systemd-networkd` is widely available in modern Linux distributions. The project uses a declarative configuration language that's similar to the rest of the `systemd` framework. Its primary configuration file types are `.network` and `.link` files.
The `amazon-ec2-net-utils` package generates interface-specific configurations in the `/run/systemd/network` directory. These configurations enable both IPv4 and IPv6 networking on interfaces when they're attached to an instance. These configurations also install policy routing rules that help ensure that locally sourced traffic is routed to the network through the corresponding instance's network interface. These rules ensure that the right traffic is routed through the Elastic Network Interface (ENI) from the associated addresses or prefixes. For more information about using ENI, see [Using ENI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html) in the *Amazon EC2 User Guide*.
You can customize this networking behavior by placing a custom configuration file in the `/etc/systemd/network` directory to override the default configuration settings contained in `/run/systemd/network`.
The [systemd.network](https://www.freedesktop.org/software/systemd/man/systemd.network.html) documentation describes how the `systemd-networkd` service determines the configuration that applies to a specific interface. It also generates alternative names, known as altnames, for the ENI-backed interfaces to reflect the properties of various AWS resources. These ENI-backed interface properties are the `ENI ID` and the `DeviceIndex` field of the ENI attachment. You can refer to these interfaces using their properties when using various tools, such as the `ip` command.
AL2023 instance interface names are generated using the `systemd` slot naming scheme. For more information, see [systemd.net naming scheme](https://www.freedesktop.org/software/systemd/man/systemd.net-naming-scheme.html).
Additionally, AL2023 uses the `fq_codel` active queue management network transmission scheduling algorithm by default. For more information, see [CoDel overview](https://www.bufferbloat.net/projects/codel/wiki/).
# Core toolchain packages glibc, gcc, binutils
A subset of packages in Amazon Linux is designated as core toolchain packages. As a major part of AL2023, core packages receive five years of support. We might change the version of a package, but long-term support applies to the package included in the Amazon Linux release.
These three core packages provide a system toolchain that's used to build most software in the Amazon Linux distribution.
| Package | Definition | Purpose |
| --- | --- | --- |
| glibc 2.34 | System C library | Used by most binary programs that provide standard functions and by the interface between programs and the kernel. |
| gcc 11.2 | gcc compiler suite | Compiles C, C\$1\$1, Fortran. |
| binutils 2.35 | Assembler and linker plus other binary tools | Manipulates or inspects binary programs. |
We recommend that updates to any glibc libraries are followed by a reboot. For updates to packages that control services, it might be sufficient to restart the services to pick up the updates. However, a system reboot ensures that all previous package and library updates are complete.
# Package management tool
The default software package management tool in AL2023 is DNF. DNF is the successor to YUM, the package management tool in AL2.
DNF is similar to YUM in its usage. Many DNF commands and command options are the same as YUM commands. In a Command Line Interface (CLI) command, in most cases `dnf` replaces `yum`.
For example, for the following AL2 `yum` commands:
```
$ sudo yum install packagename
$ sudo yum search packagename
$ sudo yum remove packagename
```
In AL2023, they become the following commands:
```
$ sudo dnf install packagename
$ sudo dnf search packagename
$ sudo dnf remove packagename
```
In AL2023 the `yum` command is still available, but as a pointer to the `dnf` command. So, when the `yum` command is used in the shell or in a script, all commands and options are the same as the DNF CLI. For more information about the differences between the YUM CLI and the DNF CLI, see [Changes in DNF CLI compared to YUM](https://dnf.readthedocs.io/en/latest/cli_vs_yum.html).
For a complete reference of commands and options for the `dnf` command, refer to the man page `man dnf`. For more information, see [DNF Command Reference](https://dnf.readthedocs.io/en/latest/command_ref.html).
# Default SSH server configuration
If you have SSH clients from several years ago, you might see an error when you connect to an instance. If the error tells you there's no matching host key type found, update your SSH host key to troubleshoot this issue.
**Default disabling of `ssh-rsa` signatures**
AL2023 includes a default configuration that disables the legacy `ssh-rsa` host key algorithm and generates a reduced set of host keys. Clients must support the `ssh-ed25519` or the `ecdsa-sha2-nistp256` host key algorithm.
The default configuration accepts any of these key exchange algorithms:
+ `curve25519-sha256`
+ `curve25519-sha256@libssh.org`
+ `ecdh-sha2-nistp256`
+ `ecdh-sha2-nistp384`
+ `ecdh-sha2-nistp521`
+ `diffie-hellman-group-exchange-sha256`
+ `diffie-hellman-group14-sha256`
+ `diffie-hellman-group16-sha512`
+ `diffie-hellman-group18-sha512`
By default, AL2023 generates `ed25519` and `ECDSA` host keys. Clients support either the `ssh-ed25519` or the `ecdsa-sha2-nistp256` host key algorithm. When you connect by SSH to an instance, you must use a client that supports a compatible algorithm, such as `ssh-ed25519` or `ecdsa-sha2-nistp256`. If you need to use other key types, override the list of generated keys with a `cloud-config` fragment in user-data.
In the following example, `cloud-config` generates a `rsa` host key with the `ecdsa` and `ed25519` keys.
```
#cloud-config
ssh_genkeytypes:
- ed25519
- ecdsa
- rsa
```
If you use an RSA key pair for public key authentication, your SSH client must support a `rsa-sha2-256` or `rsa-sha2-512` signature. If you're using an incompatible client and can't upgrade, re-enable `ssh-rsa` support on your instance. To re-enable `ssh-rsa` support, activate the `LEGACY` system crypto policy using the following commands.
```
$ sudo dnf install crypto-policies-scripts
$ sudo update-crypto-policies --set LEGACY
```
For more information about managing host keys, see [Amazon Linux Host keys](https://cloudinit.readthedocs.io/en/22.2.2/topics/modules.html#host-keys).