Amazon Linux
Amazon Linux is provided by Amazon Web Services (Amazon). It is designed to provide a stable, secure, and high-performance execution environment for applications running on Amazon EC2. It also includes packages that enable easy integration with Amazon, including launch configuration tools and many popular Amazon libraries and tools. Amazon provides ongoing security and maintenance updates for all instances running Amazon Linux. Many applications developed on CentOS (and similar distributions) run on Amazon Linux.
Contents
- Amazon Linux availability
- Connect to an Amazon Linux instance
- Identify Amazon Linux images
- Amazon Linux 2 AMI boot mode
- Amazon command line tools
- Package repository
- Extras library (Amazon Linux 2)
- Amazon Linux 2 supported kernels
- Access source packages for reference
- cloud-init
- Subscribe to Amazon Linux notifications
- Run Amazon Linux 2 as a virtual machine on premises
- Kernel Live Patching on Amazon Linux 2
Amazon Linux availability
Amazon provides Amazon Linux 2023, Amazon Linux 2, and the Amazon Linux AMI. If you are migrating from another Linux distribution to Amazon Linux, we recommend that you migrate to Amazon Linux 2023.
Note
Standard support for the Amazon Linux AMI ended on December 31, 2020. The Amazon Linux AMI is now in
a maintenance support phase which ends December 31, 2023. For more information about
the Amazon Linux AMI EOL and maintenance support, see the blog post Update
on Amazon Linux AMI end-of-life
For more information about Amazon Linux, see Amazon Linux 2023
For Amazon Linux container images, see Amazon Linux container image in the Amazon Elastic Container Registry User Guide.
Connect to an Amazon Linux instance
Amazon Linux does not allow remote root secure shell (SSH) by default. Also, password authentication is disabled to prevent brute-force password attacks. To enable SSH logins to an Amazon Linux instance, you must provide your key pair to the instance at launch. You must also set the security group used to launch your instance to allow SSH access. By default, the only account that can log in remotely using SSH is ec2-user; this account also has sudo privileges. If you enable remote root login, be aware that it is less secure than relying on key pairs and a secondary user.
Identify Amazon Linux images
Each image contains a unique /etc/image-id
file that identifies
it. This file contains the following information about the image:
-
image_name
,image_version
,image_arch
– Values from the build recipe that Amazon used to construct the image. -
image_stamp
– A unique, random hex value generated during image creation. -
image_date
– The UTC time of image creation, in YYYYMMDDhhmmss format. -
recipe_name
,recipe_id
– The name and ID of the build recipe Amazon used to construct the image.
Amazon Linux contains an /etc/system-release
file that specifies the
current release that is installed. This file is updated using yum and
is part of the system-release
RPM Package Manager (RPM).
Amazon Linux also contains a machine-readable version of
/etc/system-release
that follows the
Common Platform Enumeration (CPE)
specification; see /etc/system-release-cpe
.
Amazon Linux 2
The following is an example of /etc/image-id
for the current
version of Amazon Linux 2.
[ec2-user ~]$
cat /etc/image-id
image_name="amzn2-ami-hvm" image_version="2" image_arch="x86_64" image_file="amzn2-ami-hvm-2.0.20180810-x86_64.xfs.gpt" image_stamp="8008-2abd" image_date="20180811020321" recipe_name="amzn2 ami" recipe_id="c652686a-2415-9819-65fb-4dee-9792-289d-1e2846bd"
The following is an example of /etc/system-release
for the
current version of Amazon Linux 2.
[ec2-user ~]$
cat /etc/system-release
Amazon Linux 2
The following is an example of /etc/os-release
for
Amazon Linux 2.
[ec2-user ~]$
cat /etc/os-release
NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/"
Amazon Linux AMI
The following is an example of /etc/image-id
for the current
Amazon Linux AMI.
[ec2-user ~]$
cat /etc/image-id
image_name="amzn-ami-hvm" image_version="2018.03" image_arch="x86_64" image_file="amzn-ami-hvm-2018.03.0.20180811-x86_64.ext4.gpt" image_stamp="cc81-f2f3" image_date="20180811012746" recipe_name="amzn ami" recipe_id="5b283820-dc60-a7ea-d436-39fa-439f-02ea-5c802dbd"
The following is an example of /etc/system-release
for the
current Amazon Linux AMI.
[ec2-user ~]$
cat /etc/system-release
Amazon Linux AMI release 2018.03
Amazon Linux 2 AMI boot mode
Amazon Linux 2 AMIs don't have a boot mode parameter set. Instances launched from Amazon Linux 2 AMIs follow the default boot mode value of the instance type. For more information, see Boot modes.
Amazon command line tools
The Amazon Command Line Interface (Amazon CLI) is an open source tool that provides a consistent interface to interact with Amazon Web Services using commands in your command-line shell. For more information, see What is the Amazon Command Line Interface? in the Amazon Command Line Interface User Guide.
Amazon Linux 2 and the Amazon Linux AMI have version 1 of the Amazon CLI preinstalled. The current release of Amazon Linux, Amazon Linux 2023, has version 2 of the Amazon CLI preinstalled. For more information about using the Amazon CLI on Amazon Linux 2023, see Get started with Amazon Linux 2023 in the Amazon Linux 2023 User Guide.
Package repository
This information applies to Amazon Linux 2 and the Amazon Linux AMI. For information about Amazon Linux 2023, see Managing packages and operating system updates in the Amazon Linux 2023 User Guide.
Amazon Linux 2 and the Amazon Linux AMI are designed to be used with online package repositories hosted in each Amazon EC2 Amazon Region. The repositories are available in all Regions and are accessed using yum update tools. Hosting repositories in each Region enables us to deploy updates quickly and without any data transfer charges.
Important
The last version of the Amazon Linux AMI ended standard support on December 31, 2020 and maintenance support ends on December 31, 2023. For more information, see
Amazon Linux AMI end-of-life
If you don't need to preserve data or customizations for your instances, you can launch new instances using the current Amazon Linux 2 AMI. If you need to preserve data or customizations for your instances, you can maintain those instances through the Amazon Linux package repositories. These repositories contain all the updated packages. You can choose to apply these updates to your running instances. Older versions of the AMI and update packages continue to be available for use, even as new versions are released.
Note
To update and install packages without internet access on an EC2 instance, see
How can I update yum or install packages without internet access on
my Amazon EC2 instances running Amazon Linux, Amazon Linux 2, or Amazon Linux 2023?
To install packages, use the following command:
[ec2-user ~]$
sudo yum install
package
If you find that Amazon Linux doesn't contain an application that you need, you can install the application directly on your Amazon Linux instance. Amazon Linux uses RPMs and yum for package management, and that is likely the simplest way to install new applications. You should check to see if an application is available in our central Amazon Linux repository first, because many applications are available there. These applications can be easily added to your Amazon Linux instance.
To upload your applications onto a running Amazon Linux instance, use scp or sftp and then configure the application by logging in to your instance. Your applications can also be uploaded during the instance launch by using the PACKAGE_SETUP action from the built-in cloud-init package. For more information, see cloud-init.
Security updates
Security updates are provided using the package repositories as well as updated
AMI security alerts are published in the Amazon Linux Security Center
Amazon Linux and Amazon Linux 2 are configured to download and install critical or important security updates at launch time. Kernel updates are not included in this configuration.
In Amazon Linux 2023, this configuration has changed compared to Amazon Linux and Amazon Linux 2. For more information about security updates for Amazon Linux 2023, see Security updates and features in the Amazon Linux 2023 User Guide.
We recommend that you make the necessary updates for your use case after launch. For
example, you may want to apply all updates (not just security updates) at launch, or
evaluate each update and apply only the ones applicable to your system. This is
controlled using the following cloud-init setting:
repo_upgrade
. The following snippet of cloud-init configuration
shows how you can change the settings in the user data text you pass to your
instance initialization:
#cloud-config
repo_upgrade: security
The possible values for repo_upgrade
are as follows:
critical
-
Apply outstanding critical security updates.
important
-
Apply outstanding critical and important security updates.
medium
-
Apply outstanding critical, important, and medium security updates.
low
-
Apply all outstanding security updates, including low-severity security updates.
security
-
Apply outstanding critical or important updates that Amazon marks as security updates.
bugfix
-
Apply updates that Amazon marks as bug fixes. Bug fixes are a larger set of updates, which include security updates and fixes for various other minor bugs.
all
-
Apply all applicable available updates, regardless of their classification.
none
-
Don't apply any updates to the instance on start up.
The default setting for repo_upgrade
is security. That is, if you don't
specify a different value in your user data, by default, Amazon Linux performs the
security upgrades at launch for any packages installed at that time. Amazon Linux also
notifies you of any updates to the installed packages by listing the number of available
updates upon login using the /etc/motd
file. To install these
updates, you need to run sudo yum upgrade on the instance.
Repository configuration
For Amazon Linux and Amazon Linux 2, AMIs are a snapshot of the packages available at the time the AMI was created, with the exception of security updates. Any packages not on the original AMI, but installed at run time, will be the latest version available. To get the latest packages available for Amazon Linux 2, run yum update -y.
For Amazon Linux 2023, the repository configuration has changed compared to Amazon Linux and Amazon Linux 2. For more information about the Amazon Linux 2023 repository, see Managing packages and operating system updates.
Versions up to Amazon Linux 2023 were configured to deliver a continuous flow of updates to roll from one minor version of Amazon Linux to the next version, also called rolling releases. As a best practice, we recommend you update your AMI to the latest available AMI. Don't launch Amazon Linux AMIs that use an older version, such as 2017.09.
In-place upgrades are not supported between major Amazon Linux versions, such as from Amazon Linux to Amazon Linux 2 or from Amazon Linux 2 to Amazon Linux 2023. For more information, see Amazon Linux availability.
Using lock-on-launch in Amazon Linux
You can disable rolling releases by enabling the lock-on-launch feature. The lock-on-launch feature locks your instance to receive updates only from the specified release of the AMI. For example, you can launch a 2017.09 AMI and have it receive only the updates that were released prior to the 2018.03 AMI, until you are ready to migrate to the 2018.03 AMI.
Important
If you enable the lock-on-launch feature and choose a version of the repositories that is not the latest, you don't receive further updates. To receive rolling releases, you must use the latest AMI, or consistently update your AMI with the repositories pointed to latest.
To enable the lock-on-launch feature in new instances, launch it with the following user data passed to cloud-init:
#cloud-config
repo_releasever: 2017.09
To lock existing instances to their current AMI version
-
Edit
/etc/yum.conf
. -
Comment out
releasever=latest
. -
To clear the cache, run yum clean all.
Extras library (Amazon Linux 2)
With Amazon Linux 2, you can use the Extras Library to install application and software updates on your instances. These software updates are known as topics. You can install a specific version of a topic or omit the version information to use the most recent version.
To list the available topics, use the following command:
[ec2-user ~]$
amazon-linux-extras list
To enable a topic and install the latest version of its package to ensure freshness, use the following command:
[ec2-user ~]$
sudo amazon-linux-extras install
topic
To enable topics and install specific versions of their packages to ensure stability, use the following command:
[ec2-user ~]$
sudo amazon-linux-extras install
topic
=version
topic
=version
To remove a package installed from a topic, use the following command:
[ec2-user ~]$
sudo yum remove $(yum list installed | grep amzn2extra-
topic
| awk '{ print $1 }')
Note
This command does not remove packages that were installed as dependencies of the extra.
To disable a topic and make the packages inaccessible to the yum package manager, use the following command:
[ec2-user ~]$
sudo amazon-linux-extras disable
topic
Important
This command is intended for advanced users. Improper usage of this command could cause package compatibility conflicts.
Amazon Linux 2 supported kernels
Supported kernel versions
Currently, Amazon Linux 2 (AL2) AMIs are available with kernel versions 4.14 and 5.10, with version 5.10 being a default. You also have an option of upgrading the kernel on AL2 to version 5.15 by using the extras repository. Note that an upgrade to 5.15 requires a reboot for the new kernel to take effect. Review new features and limitations of the kernel version 5.15 on AL2 before deciding whether an upgrade is required for your use case. If you require live patching support, we recommend you use AL2 AMI with kernel 5.10.
New features in kernel 5.15
-
Kernel-based Virtual Machine
(KVM) now defaults to the new x86 TDP MMU and adds AMD SVM 5-level paging to allow for greater parallelism and scalability compared to the original KVM x86 MMU code. -
OverlayFS
has improved performance and now also handles copying immutable/append/sync/noatime attributes. -
New optimizations and improvements for EXT4 are added, such as addition of a new orphan_file feature to eliminate bottlenecks in cases of large parallel truncates, file deletions and moving the DISCARD work out of the JBD2 commit thread to help with devices having slow DISCARD behavior and not blocking the JBD2 commit KThread.
-
New optimizations and improvements for XFS are added, such as batch inode activations in per-CPU background threads that improve directory tree deletion times and enablement of pipelining to help with performance around handling lots of metadata updates.
-
DAMON
is better supported as the data access monitoring framework for proactive memory reclamation and performance analysis.
Limitations for kernel 5.15
-
LustreFSx is not supported (support will be added later).
-
Kernel live patching is not supported.
Instructions for installing kernel 5.15
You can upgrade to kernel 5.15 from both Amazon Linux 2 AMI with kernel 4.14 and AL2 AMI with kernel 5.10 using the following commands:
-
Enable the
kernel-5.15
topic inamazon-linux-extras
and install kernel 5.15 on the host.sudo amazon-linux-extras install kernel-5.15
-
Reboot the host with the installed kernel 5.15.
sudo reboot
-
Check the system kernel version.
uname -r
Support Timeframe
All Linux kernels available on Amazon Linux 2 (4.14, 5.10, and 5.15) will be supported until Amazon Linux 2 AMI reaches the end of standard support.
Live patching support
Amazon Linux 2 kernel version | Kernel live patching supported |
4.14 | Yes |
5.10 | Yes |
5.15 | No |
Access source packages for reference
You can view the source of packages you have installed on your instance for reference purposes by using tools provided in Amazon Linux. Source packages are available for all of the packages included in Amazon Linux and the online package repository. Simply determine the package name for the source package you want to install and use the yumdownloader --source command to view source within your running instance. For example:
[ec2-user ~]$
yumdownloader --source bash
The source RPM can be unpacked, and, for reference, you can view the source tree using standard RPM tools. After you finish debugging, the package is available for use.
cloud-init
The cloud-init package is an open-source application built by Canonical that is used to bootstrap Linux images in a cloud computing environment, such as Amazon EC2. Amazon Linux contains a customized version of cloud-init. It enables you to specify actions that should happen to your instance at boot time. You can pass desired actions to cloud-init through the user data fields when launching an instance. This means you can use common AMIs for many use cases and configure them dynamically at startup. Amazon Linux also uses cloud-init to perform initial configuration of the ec2-user account.
For more information, see the cloud-init documentation
Amazon Linux uses the cloud-init actions found in
/etc/cloud/cloud.cfg.d
and
/etc/cloud/cloud.cfg
. You can create your own
cloud-init action files in /etc/cloud/cloud.cfg.d
.
All files in this directory are read by cloud-init. They are read in
lexical order, and later files overwrite values in earlier files.
The cloud-init package performs these (and other) common configuration tasks for instances at boot:
-
Set the default locale.
-
Set the hostname.
-
Parse and handle user data.
-
Generate host private SSH keys.
-
Add a user's public SSH keys to
.ssh/authorized_keys
for easy login and administration. -
Prepare the repositories for package management.
-
Handle package actions defined in user data.
-
Execute user scripts found in user data.
-
Mount instance store volumes, if applicable.
-
By default, the
ephemeral0
instance store volume is mounted at/media/ephemeral0
if it is present and contains a valid file system; otherwise, it is not mounted. -
By default, any swap volumes associated with the instance are mounted (only for
m1.small
andc1.medium
instance types). -
You can override the default instance store volume mount with the following cloud-init directive:
#cloud-config mounts: - [ ephemeral0 ]
For more control over mounts, see Mounts
in the cloud-init documentation. -
Instance store volumes that support TRIM are not formatted when an instance launches, so you must partition and format them before you can mount them. For more information, see Instance store volume TRIM support. You can use the
disk_setup
module to partition and format your instance store volumes at boot. For more information, see Disk Setupin the cloud-init documentation.
-
Supported user-data formats
The cloud-init package supports user-data handling of a variety of formats:
-
Gzip
-
If user-data is gzip compressed, cloud-init decompresses the data and handles it appropriately.
-
-
MIME multipart
-
Using a MIME multipart file, you can specify more than one type of data. For example, you could specify both a user-data script and a cloud-config type. Each part of the multipart file can be handled by cloud-init if it is one of the supported formats.
-
-
Base64 decoding
-
If user-data is base64-encoded, cloud-init determines if it can understand the decoded data as one of the supported types. If it understands the decoded data, it decodes the data and handles it appropriately. If not, it returns the base64 data intact.
-
-
User-Data script
-
Begins with
#!
orContent-Type: text/x-shellscript
. -
The script is run by
/etc/init.d/cloud-init-user-scripts
during the first boot cycle. This occurs late in the boot process (after the initial configuration actions are performed).
-
-
Include file
-
Begins with
#include
orContent-Type: text/x-include-url
. -
This content is an include file. The file contains a list of URLs, one per line. Each of the URLs is read, and their content passed through this same set of rules. The content read from the URL can be gzip compressed, MIME-multi-part, or plaintext.
-
-
Cloud Config Data
-
Begins with
#cloud-config
orContent-Type: text/cloud-config
. -
This content is cloud-config data. For a commented example of supported configuration formats, see the examples.
-
-
Upstart job (not supported on Amazon Linux 2)
-
Begins with
#upstart-job
orContent-Type: text/upstart-job
. -
This content is stored in a file in
/etc/init
, and upstart consumes the content as per other upstart jobs.
-
-
Cloud Boothook
-
Begins with
#cloud-boothook
orContent-Type: text/cloud-boothook
. -
This content is boothook data. It is stored in a file under
/var/lib/cloud
and then runs immediately. -
This is the earliest hook available. There is no mechanism provided for running it only one time. The boothook must take care of this itself. It is provided with the instance ID in the environment variable
INSTANCE_ID
. Use this variable to provide a once-per-instance set of boothook data.
-
Subscribe to Amazon Linux notifications
To be notified when new Amazon Linux AMIs are released, you can subscribe using Amazon SNS.
For information about subscribing to notifications for Amazon Linux 2023, see Receiving notifications on new updates in the Amazon Linux 2023 User Guide.
Note
Standard support for the Amazon Linux AMI ended on December 31, 2020. The Amazon Linux AMI is now in
a maintenance support phase which ends December 31, 2023. For more information about
the Amazon Linux AMI EOL and maintenance support, see the blog post Update
on Amazon Linux AMI end-of-life
To subscribe to Amazon Linux notifications
Open the Amazon SNS console at https://console.amazonaws.cn/sns/v3/home
. -
In the navigation bar, change the Region to US East (N. Virginia), if necessary. You must select the Region in which the SNS notification that you are subscribing to was created.
-
In the navigation pane, choose Subscriptions, Create subscription.
-
For the Create subscription dialog box, do the following:
-
[Amazon Linux 2] For Topic ARN, copy and paste the following Amazon Resource Name (ARN):
arn:aws:sns:us-east-1:137112412989:amazon-linux-2-ami-updates
. -
[Amazon Linux] For Topic ARN, copy and paste the following Amazon Resource Name (ARN):
arn:aws:sns:us-east-1:137112412989:amazon-linux-ami-updates
. -
For Protocol, choose Email.
-
For Endpoint, enter an email address that you can use to receive the notifications.
-
Choose Create subscription.
-
-
You receive a confirmation email with the subject line "Amazon Notification - Subscription Confirmation". Open the email and choose Confirm subscription to complete your subscription.
Whenever AMIs are released, we send notifications to the subscribers of the corresponding topic. To stop receiving these notifications, use the following procedure to unsubscribe.
To unsubscribe from Amazon Linux notifications
-
Open the Amazon SNS console at https://console.amazonaws.cn/sns/v3/home
. -
In the navigation bar, change the Region to US East (N. Virginia), if necessary. You must use the Region in which the SNS notification was created.
-
In the navigation pane, choose Subscriptions, select the subscription, and choose Actions, Delete subscriptions.
-
When prompted for confirmation, choose Delete.
Amazon Linux AMI SNS message format
The schema for the SNS message is as follows.
{ "description": "Validates output from AMI Release SNS message", "type": "object", "properties": { "v1": { "type": "object", "properties": { "ReleaseVersion": { "description": "Major release (ex. 2018.03)", "type": "string" }, "ImageVersion": { "description": "Full release (ex. 2018.03.0.20180412)", "type": "string" }, "ReleaseNotes": { "description": "Human-readable string with extra information", "type": "string" }, "Regions": { "type": "object", "description": "Each key will be a region name (ex. us-east-1)", "additionalProperties": { "type": "array", "items": { "type": "object", "properties": { "Name": { "description": "AMI Name (ex. amzn-ami-hvm-2018.03.0.20180412-x86_64-gp2)", "type": "string" }, "ImageId": { "description": "AMI Name (ex.ami-467ca739)", "type": "string" } }, "required": [ "Name", "ImageId" ] } } } }, "required": [ "ReleaseVersion", "ImageVersion", "ReleaseNotes", "Regions" ] } }, "required": [ "v1" ] }